Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Ineffective Status Checks in Deposit and Withdrawal Functions allow a malicious actor to stuck the vault state.

Rozzo

Summary

Both afterDepositCancellation() and afterWithdrawalCancellation() could encounter a situation where if CachedKey != Key, the function will enter an else if condition but not execute any further operations because the nested if statement is not met.

Vulnerability Details

In this example, we can see that we have two nested conditions, and if one 'if' statement is met but the nested condition is not, the final 'else' will not execute. Consequently, no revert or state change will occur, and the function execution will end without an error or changes.

function afterDepositCancellation(

bytes32 depositKey, IDeposit.Props memory, /* depositProps */ IEvent.Props memory /* eventData */ )

external

onlyController

{

GMXTypes.Store memory _store = vault.store();

if (_store.status == GMXTypes.Status.Deposit) {

if (_store.depositCache.depositKey == depositKey) {

vault.processDepositCancellation();

}

} else if (_store.status == GMXTypes.Status.Rebalance_Add) {

if (_store.rebalanceCache.depositKey == depositKey) {

vault.processRebalanceAddCancellation();

}

} else if (_store.status == GMXTypes.Status.Compound) {

if (_store.compoundCache.depositKey == depositKey) {

vault.processCompoundCancellation();

}

} else {

revert Errors.DepositCancellationCallback();

}

Same happen here:

function afterWithdrawalExecution( // called by GMX

bytes32 withdrawKey, IWithdrawal.Props memory, /* withdrawProps */ IEvent.Props memory /* eventData */ )

external

onlyController

{

GMXTypes.Store memory _store = vault.store();

if (_store.status == GMXTypes.Status.Withdraw && _store.withdrawCache.withdrawKey == withdrawKey) {

vault.processWithdraw();

} else if (

_store.status == GMXTypes.Status.Rebalance_Remove && _store.rebalanceCache.withdrawKey == withdrawKey

) {

vault.processRebalanceRemove();

} else if (_store.status == GMXTypes.Status.Deposit_Failed && _store.depositCache.withdrawKey == withdrawKey) {

vault.processDepositFailureLiquidityWithdrawal();

}

If a test is conducted with a changed key, we will see the assertion checking for the vault's state fail. In this instance, it is not reopened.

Example:

[PASS] test_processDepositCancel() (gas: 1214503)

Logs:

deposit token address 0x6E1734aC57e76fcD7fD66266Ae0C2547dB3A713a

is native token?? true

is token A true

is token B false

borrows amount after added leverage + adjusments

borrowTokenAAmt 0

borrowTokenBAmt 3200000000

msg.sender in deposti function 0xdd845642a112D7cBd82EFE83619EB39f0894521B

msg.sender 0xdd845642a112D7cBd82EFE83619EB39f0894521B

VAULT STATUS 0

[FAIL. Reason: NotAllowedInCurrentVaultStatus()] test_processDepositFailure() (gas: 1465094)

Logs:

vault address 0x6dA36424D631fcc6fC8CC621B6d6d2A087D7CF17

value should be 0 and is: 1000000000000000

deposit token address 0x6E1734aC57e76fcD7fD66266Ae0C2547dB3A713a

is native token?? false

is token A true

is token B false

borrows amount after added leverage + adjusments

borrowTokenAAmt 0

borrowTokenBAmt 3200000000

msg.sender in deposti function 0xdd845642a112D7cBd82EFE83619EB39f0894521B

msg.sender 0xdd845642a112D7cBd82EFE83619EB39f0894521B

Error: a == b not satisfied [uint]

Expected: 2

Actual: 1

Impact

The state of the vault will remain unchanged and the function will not revert considering this like a successful tx. Keepers will be not aware of that because the state is not changed and no revert is done. This cause that keepers/sentinel can not detect this and a human action will be required to reset the state back to Open.

Tools Used

Manual Review

Recommendations

Use the following pattern checking both key and status with and && and not nested if's:

function afterDepositExecution(

bytes32 depositKey, // deposit key hash ?? gmx thing

IDeposit.Props memory, /* depositProps */

IEvent.Props memory /* eventData */

) external onlyController {

GMXTypes.Store memory _store = vault.store();

if (

_store.status == GMXTypes.Status.Deposit // is deposit yes

&& _store.depositCache.depositKey == depositKey

) {

vault.processDeposit(); // @follow-up process the deposit -> this is where the GMX returns token in vault

} else if (_store.status == GMXTypes.Status.Rebalance_Add && _store.rebalanceCache.depositKey == depositKey) {

vault.processRebalanceAdd();

} else if (_store.status == GMXTypes.Status.Compound && _store.compoundCache.depositKey == depositKey) {

vault.processCompound();

} else if (_store.status == GMXTypes.Status.Withdraw_Failed && _store.withdrawCache.depositKey == depositKey) {

vault.processWithdrawFailureLiquidityAdded();

} else if (_store.status == GMXTypes.Status.Resume) {

// This if block is to catch the Deposit callback after an

// emergencyResume() to set the vault status to Open

vault.processEmergencyResume();

}

Updates

Lead Judging Commences

hans Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rozzo Submitter

over 1 year ago

hans Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.