There is no functionality for upgrade or migrate to new GMX implementations
Summary
In the current implementation of a GMXVault, there is no functionality for migration or upgrading if any of the GMX external contracts receive new implementations or if any of its associated markets migrate their tokens to another location.
Vulnerability Details
As it stands, the GMXVault owner has initially set all the key external contracts, including:
ExchangeRouter
Router
DepositVault
WithdrawalVault
RoleStore
However, there is currently no mechanism in place to update these contracts. Additionally, if, at any point in the future, GMX decides to move reserves to different vaults using new addresses, this contract will result in stuck of funds because it won't reflect the latest versions of these contracts.
Impact
Not updating important external contracts will lead to old implementations and is error-prone.
Tools Used
Manual
Recommendations
It would be advisable to include logic that allows for the updating of these addresses and also logic to facilitate the migration of tokens in response to future changes. This proactive approach will enhance the flexibility and adaptability of the GMXVault contract and ensure it remains compatible with any modifications.
Lead Judging Commences
Immutable external address
Impact: High Likelihood: Low
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.