Inconsistent Update of _totalCollateral(WETH) value in PerpetualAtlanticVaultLP.sol #730
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-867
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L159-L174
Vulnerability details
Impact
Whenever shares are redeemed in PerpetualAtlanticVaultLP, there's an accounting deficit that causes a revert in
PerpetualAtlanticVaultLP.addProceeds()
, leading to a denial of service in multiple functions that makes calls toPerpetualAtlanticVaultLP.addProceeds()
throughPerpetualAtlanticVault.updateFunding()
like;PerpetualAtlanticVault.purchase()
,PerpetualAtlanticVault.settle()
,PerpetualAtlanticVaultLP.deposit()
, andPerpetualAtlanticVaultLP.redeem()
Proof of Concept
PerpetualAtlanticVaultLP.deposit()
where funds is transferred from user to the contract and_totalCollatera
is updated(increamented). https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L128-L132_rdpxCollateral
is updated(decremented) but_totalCollateral
is not. https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L162-L175PerpetualAtlanticVaultLP.addProceeds()
a check is done to assert that balanceOf Collateral is equal or greater than_totalCollateral + proceeds
, this will NEVER hold if shares have been redeemed. https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L191-L194Instance:
--Alice makes a deposit of 100 collateral token to get equivalent shares, this increases
_totalCollateral
by 100.--Alice redeems 50% of her shares to get 50 collateral token transferred back to her by the contract, reducing the contract balance by 50 but no corresponding decrease in
_totalCollateral
.--So whenever
collateral.balanceOf(address(this)) >= _totalCollateral + proceeds
is checked, _totalCollateral will still hold 100+, so the check always fails.--The ripple effect is that all function that relies on the check fails.
Tools Used
Manual review.
Recommended Mitigation Steps
Update _totalCollateral after transferring collateral to the redeemer.
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: