Steadefi

Summary

The core idea of the SteadeFi is to combine user power in order to create more leverage for depositing into GMX, but this comes with a risk if there is a malicious user, who is abusing the GMX directly through the vault, not only the user will be blacklisted but the entire deposited amount of the GMXVault contract.

https://github.com/gmx-io/gmx-synthetics#integration-notes

Vulnerability Details

When there is a suspicious action in their market, they have the right to blacklist the address doing these types of transactions. However following the implementation of the SteadeFi, funds deposited through the vault are represented by the GXMVault used. So if a malicious user wants to abuse the GMX through the SteadeFi, he will not put his funds at any risk. Instead, he will put the funds of all users who use one of SteadeFi’s vaults at risk of potentially locked funds due to malicious actions.

We can verify that GMX indeed will blacklist all the funds from their README which states:
• Funds for blacklisted addresses will be kept within the protocol

Despite the fact, that it is not directly related to the code itself, this is a valid concern that can reduce the reputation of the whole protocol, thus reducing the yield generated in their LendingVaults as well.

Impact

Loss of trust in the protocol from the daily users.

Tools Used

Manual

Recommendations

It is hard to give a recommendation for this problem since it is not directly related to the code itself, but as a brief suggestion, consider adding some type of entry fee, which when the user withdraws he will receive back if he didn’t do anything which is bad for the reputation. But take it with a grain of salt because it can open a variety of new vulnerabilities if not implemented correctly.