Steadefi

Summary

The protocol can receive native token, they won't get stuck, it has a couple of functions that help sweep, but a malicious bot can remove the token before that.

Vulnerability Details

The protocol has no problem receiving a native token, they allow it:

GMXVault.sol

The conditions are only that the user's amount must be reimbursed, but if this is not the case, the balance of the contract will grow.

This contracts do not save this native token forever, there are two functions that guarantee to clean up all this stuck native token.

One option is if a user attempts to withdraw their native token at the time the contract has native token balance and the withdrawal is successful, the user will have more than what they initially withdraw.

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXWithdraw.sol#L182

But there is another, easier option for the attacker.

If the contract has a native token, the attacker simply calls deposit(), with the wrong parameters, to try and get the deposit canceled.

processDepositCancellation() called after add liquidity to GMX has failed. It will proceed to repay borrowed assets and return the deposited assets to the user.

The malicious user can take the entire balance of this contract immediately after the contract receives native token.

The reason for the processDepositCancellation() can be:

• Usually due to an overly aggressive slippage requirement after a user deposit action.

• If there isn’t enough available supply to buy into GM

• executing the request with insufficient gas

These some reason given from the sponsor.

Impact

If the protocol receives any prize, donation, user error, etc. A malicus user can steal it immediately.

Tools Used

Manual Code Review

Recommendations

Correctly handle the reception of the native token, if it does not meet the proposed conditions.