Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

ExchangeRouter and gmxOracle address can’t be modified

0xCiphky

Summary

GMXVault's current implementation sets the gmxOracle and exchangeRouter addresses at deployment with no capability to update them. Given that GMX documentation suggests the potential for these addresses to change in the future, the lack of an update mechanism could result in operational issues if and when an update is required.

”If using contracts such as the ExchangeRouter, Oracle or Reader do note that their addresses will change as new logic is added”

The GMXVault contract is initially configured with the gmxOracle and exchangeRouter addresses, during the construction of the contract. However there is no functionality to change these addresses down the line.

constructor(string memory name, string memory symbol, GMXTypes.Store memory store_)
ERC20(name, symbol)
Ownable(msg.sender)
{
_store.gmxOracle = IGMXOracle(store_.gmxOracle);
_store.exchangeRouter = IExchangeRouter(store_.exchangeRouter);
_store.router = store_.router;
_store.depositVault = store_.depositVault;
_store.withdrawalVault = store_.withdrawalVault;
_store.roleStore = store_.roleStore;
_store.swapRouter = ISwap(store_.swapRouter);
...
}

Impact

The inability to update these addresses means that GMXVault risks becoming incompatible with newer versions of related contracts or could continue to rely on outdated or potentially insecure versions.

Tools Used

Manual analysis

Recommendations

Add owner-only functions that enable the updating of the gmxOracle and exchangeRouter addresses.

Updates

Lead Judging Commences

hans Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Immutable external address

Impact: High Likelihood: Low

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.