Submission Details
Severity:
Wrong parameter passed while calling `gmxOracle.getLpTokenValue()`
Summary
Vulnerability Details
As here we can see getLpTokenValue() has a isDeposit check according to which _pnlFactorType is set.
_pnlFactorType value depends on whether its from a deposit / withdraw
function getLpTokenValue(
address marketToken,
address indexToken,
address longToken,
address shortToken,
bool isDeposit,
bool maximize
) public view returns (uint256) {
bytes32 _pnlFactorType;
if (isDeposit) {
_pnlFactorType = keccak256(abi.encode("MAX_PNL_FACTOR_FOR_DEPOSITS"));
} else {
_pnlFactorType = keccak256(abi.encode("MAX_PNL_FACTOR_FOR_WITHDRAWALS"));
}
(int256 _marketTokenPrice,) = getMarketTokenInfo(
marketToken,
indexToken,
longToken,
shortToken,
_pnlFactorType,
maximize
);
In GMXDeposit.deposit() we have gmxOracle.getLpTokenValue to calculate depositValue where isDeposit parameter set to false.
_dc.depositValue = self.gmxOracle.getLpTokenValue( // @audit-info marketTokenPrice in 1e18
address(self.lpToken),
address(self.tokenA),
address(self.tokenA),
address(self.tokenB),
false, // @audit L :: i think it should be true
false
)
* dp.amt
/ SAFE_MULTIPLIER;
Impact
No serious impact, as discussed with sponsors
Tools Used
Manual review
Recommendations
_dc.depositValue = self.gmxOracle.getLpTokenValue( // @audit-info marketTokenPrice in 1e18
address(self.lpToken),
address(self.tokenA),
address(self.tokenA),
address(self.tokenB),
- false, // @audit L :: i think it should be true
+ true,
false
)
* dp.amt
/ SAFE_MULTIPLIER;
Prize pool breakdown
Total prize
35,000 USDC
nSLOC
2,28915 USDC / LOC
33,000 USDC
2,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.