Lack of Deadline Parameter in `addLiquidity` and `removeLiquidity `Functions
Summary
This vulnerability report highlights the absence of a deadline parameter in the addLiquidity and removeLiquidity functions within the GMXWorker contract. The lack of this time-sensitive feature poses risks related to potential front-running, missed arbitrage opportunities and unpredictable transaction finality.
Vulnerability Details
The addLiquidity and removeLiquidity functions in the GMXWorker contract do not include a parameter for specifying a deadline by which the transaction must be executed. The absence of a deadline parameter means that users cannot enforce a specific time frame within which their liquidity provision or removal actions should be completed.
When users trigger deposit requests, they can directly call the "addLiquidity" function. However, the absence of a deadline allows users to submit these requests without a clear timeframe for execution. This can lead to a lack of predictability and potential operational challenges.
The implementation of the functions in the GMXManager and GMXWorker does not include any checks for a deadline value.
https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXWorker.sol#L23-L26
https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXWorker.sol#L72-L75
Impact
Users may not be able to execute their liquidity provision or removal in response to rapidly changing market conditions, potentially missing out on profitable trades.
Tools Used
Manual analysis
Recommendations
The addition of a deadline parameter in the functions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.