Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

PnL is incorrectly configured for deposit LP

pina

Summary

If a user wants to deposit LP tokens, the maximum ratio of (PnL / value of tokens in the pool) was established with the withdrawal limit and not for deposits accordingly.

Vulnerability Details

The price of a market token depends on the value of the assets in the pool and net pending PnL of traders open positions. This limit is the PnL factor that calculates the price of the market token.

The caps used to calculate the market token price may differ depending on activity, deposits or withdrawals (in our implementation).

if (isDeposit) {

_pnlFactorType = keccak256(abi.encode("MAX_PNL_FACTOR_FOR_DEPOSITS"));

} else {

_pnlFactorType = keccak256(abi.encode("MAX_PNL_FACTOR_FOR_WITHDRAWALS"));

}

(int256 _marketTokenPrice,) = getMarketTokenInfo(

marketToken,

indexToken,

longToken,

shortToken,

_pnlFactorType,

maximize

);

But, when this function is called in deposit():

if (dp.token == address(self.lpToken)) {

// If LP token deposited

_dc.depositValue = self.gmxOracle.getLpTokenValue(

address(self.lpToken),

address(self.tokenA),

address(self.tokenB),

false, // @audit has to be set to true

false

)

The PnL factor limit when calculating the market token price for deposits, is used with the MAX_PNL_FACTOR_FOR_WITHDRAWALS, which would be used when calculating the market token price of the market token for withdrawals.

Impact

Deposits above MAX_PNL_FACTOR_FOR_DEPOSITS are not allowed but the function is called with MAX_PNL_FACTOR_FOR_WITHDRAWALS.

Tools Used

Manual Code Review

Recommendations

Update to correct state when user wants to deposit with LP tokens:

_dc.depositValue = self.gmxOracle.getLpTokenValue(

address(self.lpToken),

address(self.tokenA),

address(self.tokenB),

- false,

+ true,

false

)

Updates

Lead Judging Commences

hans Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Wrong PNL Factor in GMXDeposit for for lpToken

Impact: Medium Likelihood: High The impact of using a wrong price (conservative vs optimistic) is limited, especially given the users specify the slippage.

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.