GMXOracle.getLpTokenValue is checked in same way for deposit and withdraws
Summary
GMXOracle.getLpTokenValue is fetched in same way for deposit and withdraws, however different param should be sent for deposits, which has an affect on token calculation.
Vulnerability Details
GMXOracle.getLpTokenValue function is used to get price of GMX lp token. It has 2 params isDeposit and maximize, which should be provided in case if you want to get correct price for specific operation.
So as isDeposit param states it should be true in case if you plan to deposit after calculation and false if you plan to withdraw. However, protocol always sets this parameter as false for all calculations. For example here for deposits, here for compounds and rebalance add, as they both call GMXManager.calcMinMarketSlippageAmt to calculate min LP tokens amount to receive.
As result, calculations can be wrong which will have affect on slippage(so it can be bigger than needed or smaller), which will allow sandwhichers to steal funds some times, when it's profitable.
Impact
LP token price calculations is wrong for deposits.
Tools Used
VsCode
Recommendations
In case when you fetch price for deposits, then provide true as isDeposit param.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.