Change of GMX related addresses not accounted for
Summary
Addresses of some GMX addresses are not updateable in the GMXVault, while they can change to new addresses in practice, with a possibility of rendering the old addresses unusable.
Vulnerability Details
The GMX integration notes state:
If using contracts such as the ExchangeRouter, Oracle or Reader do note that their addresses will change as new logic is added. As confirmed by a GMX team member, this can also cause the old contracts to not work correctly anymore. Currently, both the Reader and ExchangeRouter are not mutable within the Steadefi protocol:
Impact
SteadeFi will not read the proper data from GMX, if there is a change of GMX contracts.
Tools Used
Manual Review and Discussed with GMX Team
Recommendations
Add a function to update GMXOracle#syntheticReader and GMXVault#store#exchangeRouter, and change GMXOracle#syntheticReader from an immutable variable to public or private.
Lead Judging Commences
Immutable external address
Impact: High Likelihood: Low
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.