Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

emergencyPause/emergencyResume functions don’t let keeper adjust the slippage

0xCiphky

Summary

The protocol implements an emergencyPause function to be called by approved Keepers in an emergency situation. This function is designed to convert all liquidity pool tokens back to the underlying assets and hold them in the vault, also pausing all vault activities, including asset deposits, borrows, or rebalancing. However, the function fails to allow keepers to adjust the slippage that will be used when converting all liquidity pool tokens back to the underlying assets opening the door for MEV attacks.

Vulnerability Details

The emergencyPause function is called by keepers in an emergency situation, this will call GMXManager.removeLiquidity which withdraws the protocol's liquidity from the pool without allowing for slippage adjustment

// contract GMXVault

function emergencyPause() external payable onlyKeeper {

GMXEmergency.emergencyPause(_store);

}

// library GMXEmergency

function emergencyPause(

GMXTypes.Store storage self

) external {

self.refundee = payable(msg.sender);

GMXTypes.RemoveLiquidityParams memory _rlp;

// Remove all of the vault's LP tokens

_rlp.lpAmt = self.lpToken.balanceOf(address(this));

_rlp.executionFee = msg.value;

GMXManager.removeLiquidity(

self,

_rlp

);

self.status = GMXTypes.Status.Paused;

emit EmergencyPause();

}

When liquidity is added in GMXManager.addLiquidity the minMarketTokens parameter will be zero (default value).

When liquidity is removed in GMXManager.removeLiquidity the minLongTokenAmount and minShortTokenAmount will also be set to zero (default value).

Impact

A malicious actor can sandwich the emergencyPause function, leading to significant losses for the protocol.

Similarly, the emergencyResume function is also susceptible to this issue when it attempts to add liquidity back into the pool without slippage adjustments.

Tools Used

Manual analysis

Recommendations

The emergencyPause and emergencyResume functions should be modified to include a slippage parameter that Keepers can adjust during each call.

function emergencyPause(uint256 slippage) external payable onlyKeeper {

GMXEmergency.emergencyPause(_store, slippage);

}

function emergencyResume(uint256 slippage) external payable onlyOwner {

GMXEmergency.emergencyResume(_store, slippage);

}

Updates

Lead Judging Commences

hans Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Slippage protection on emergency Pause/Resume

Impact: High Likelihood: Low Because the whole lpToken balance is used during the emergency process, the impact is high. But the likelihood is LOW because of the dependence on the emergency.

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.