Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

GMXVault.sol#L605 : `keepers` map is not updated when updating the callback function

ak1

Summary

keepers map is not updated when updating the callback function by calling the function updateCallback.

Vulnerability Details

GMXVault contract has the keepers map who is approved to carry out core functionality such as deposit, withdraw, rebalance and compound.

The keepers map is updated while deploying the vault contract. refer the line. Here the callback is set as keeper.

This callback can be updated later by calling the function updateCallback.

when we see this updateCallback function, it misses to update the keeper map.

Though there is another function updateKeeper to update this, missing the updateKeeper function call from updateCallback could be cause of concern if it is missed.

Impact

An outdated or removed keeper still can control the core functionality such as deposit, withdraw , rebalance etc.

Tools Used

Manual review.

Recommendations

Update the function updateCallback as shown below.

function updateCallback(address callback) external onlyOwner {
updateKeeper(_store.callback, false); --------------->> added.
_store.callback = callback;
updateKeeper(_store.callback, true) -------------->> added.
emit CallbackUpdated(callback);
}
Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
ak1 Submitter
almost 2 years ago
hans Auditor
almost 2 years ago
ak1 Submitter
almost 2 years ago
hans Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.