Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

`GMXVault` contract : malicious/corrupted oracles can't be updated

0xhals

Summary

GMXVault contract : malicious/corrupted oracles can't be updated

Vulnerability Details

The GMXVault contract uses the chainlink oracle and gmxOracle to extract the prices of the vault assets upon depoisting,withdrawing and swapping.
But if any of these contracts are being compromised/hacked or start to act malicioucly or became corrupted; there's no way for the contract owner to update them.

Impact

This will disable the vault from extracting the actual assets prices since the results retuned from the corrupted contracts will become unreliable/invalid.

Proof of Concept

GMXVault.constructor

_store.chainlinkOracle = IChainlinkOracle(store_.chainlinkOracle);

_store.gmxOracle = IGMXOracle(store_.gmxOracle);

Tools Used

Manual Review.

Recommendations

Add a function to update these oracles if they got compromised or started to act maliciously.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Chainlink price feed can not be updated

Impact: High Likelihood: Low

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.