[H-02] Wrong decimals precision when using RdpxEthOracle as oracle returns price in 18 decimals #624
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-549
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L605
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L669
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L673
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVault.sol#L27
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/reLP/ReLPContract.sol#L253
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/reLP/ReLPContract.sol#L274
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/reLP/ReLPContract.sol#L255
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/reLP/ReLPContract.sol#L275
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1172
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1181
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L281
Vulnerability details
Impact
All prices are assume to return 8 decimal precision, but the oracle clearly return all prices in 18 decimals as seen in
RdpxEthOracle.sol
. The two price functions used aregetLpPriceInETH()
andgetRdpxPriceInEth()
.getRdpxPriceInEth()
:RdpxEthOracle.sol#L250
getLpPriceInETH()
:RdpxEthOracle.sol#L217
getLpPrice()
, which is in turn used ingetLpTokenBalanceInWeth()
In the
RdpxV2Core.sol
core contract, it can cause the following:_transfer()
reverting from underflow here (assuming APP puts are not allowed to be purchased)upperDepeg()
decollaterization, if slippage not specified, since slippage (minOut
) will be overestimated herelowerDepeg
recollaterization, as price check here will always revert hereIn the
PerpetualAtlanticVault.sol
contract, it can cause the following:In the
ReLPContract.sol
contract, it can cause the following:_transfer()
andpurchase()
did not revert, the reLP process will revert due to overestimated amount of rDPX by a factor of 10 to be swapped out using half of wETH here. This reverts the whole reLP process and consequently, the bonding process.In the
PerpetualAtlanticVaultLP.sol
contract, it can cause the following:PerpetualAtlanticVaultLP.convertToShares()
here, leading to rounding down of shares to 0 and DoSing option writers from depositing collateral into LP vault due to a check reverting here and affecting APP option process.Tools Used
Manual Analysis
Recommendation
In the following LOC, change precision of operators, division or multiplication from 1e8 to 1e18
In the function
ReLPContract.reLP()
, change precision dividing from 1e16 to 1e26In the function
RdpxV2Core.calculateBondCost()
, multiply by1e18
Instead ofDEFAULT_PRECISION
in the following LOC:Assessed type
Context
The text was updated successfully, but these errors were encountered: