GMXEmergency doesn't have slippage protection
Summary
GMXEmergency contract doesn't pass slippage arguments to GMX request inside emergencyPause and emergencyResume functions. As result they can be sandwhiched.
Vulnerability Details
GMXEmergency contract has ability to pause protocol using emergencyPause function.
https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXEmergency.sol#L47-L66
This function creates RemoveLiquidityParams struct and set only lpAmt and executionFee to it. Then later it pass this param to execute GMX request. Later, in GMXWorker this param is used to fetch min amounts that should be received after withdraw. As these min amount were not set, they are 0, so there is no slippage protection for such withdraw.
Exactly same situation is for emergencyResume function, where minMarketTokenAmt is not calculated.
So both these functions can be sandwhiched in order to get profit. And the main risk here is that whole vault balance is used here.
Impact
Functions don't have slippage protection.
Tools Used
VsCode
Recommendations
You need to calculate min amounts that you are going to receive from GMX.
Lead Judging Commences
Slippage protection on emergency Pause/Resume
Impact: High Likelihood: Low Because the whole lpToken balance is used during the emergency process, the impact is high. But the likelihood is LOW because of the dependence on the emergency.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.