Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

The vault can be reactivated after "Status.Closed"

pina

Summary

After calling emergencyClose() the vault should not be able to be opened again, but this may be because the state check is missing in the emergencyClose() function.

Vulnerability Details

The GMXVault.sol should not be reactivated again, after emergencyClose() and repaying all users, but it may be activated again.

On emergencyClose() the final state of this vault is changed to GMXTypes.Status.Closed; but the keeper can call emergencyPause() -> GMXEmergency.sol.emergencyPause() again since it has no check for the state of the vault as the other functions have.

unction emergencyPause(
GMXTypes.Store storage self
) external {
self.refundee = payable(msg.sender);
GMXTypes.RemoveLiquidityParams memory _rlp;
// Remove all of the vault's LP tokens
_rlp.lpAmt = self.lpToken.balanceOf(address(this));
_rlp.executionFee = msg.value;
GMXManager.removeLiquidity(
self,
_rlp
);
self.status = GMXTypes.Status.Paused; // @audit change the status
emit EmergencyPause();
}

Because the protocol no longer has LP token, there will be no error when withdrawing liquidity.

After calling EmergencyClose. It has to be a one-way action.

Impact

A malicious keeper can deny emergency withdrawal to all users.

Tools Used

Manual Code Review

Recommendations

Add a function called beforeEmergencyPauseChecks() in GMXChecks.sol that does the vault status check like the other checks do.

Updates

Lead Judging Commences

hans Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Vault can be opened again after close

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.