Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

GMXOracle contract's getAmountsOut function lacks proper error handling and input validation

0xVinylDavyl

Summary

Implement proper error handling and input validation for all functions. Check inputs for validity and handle potential errors gracefully. Make sure the contract can handle unexpected inputs without unexpected behavior

Vulnerability Details

The GMXOracle contract lacks proper error handling and input validation in several of its functions. Without appropriate validation and error handling, the contract may not be able to handle unexpected inputs, leading to unexpected behavior or vulnerabilities.

One of the examples of a function that lacks input validation and error handling is the getAmountsOut function within the GMXOracle contract. While it was used as an example to illustrate proper validation and error handling, the actual function in the contract does not have these validations. Below is the vulnerable function with an example of proper error handling:

/**
* @notice Get amountsOut of either the long or short token based on the amountsIn
* of either long or short token in the market
* @param marketToken LP token address
* @param indexToken Index token address
* @param longToken Long token address
* @param shortToken Short token address
* @param tokenIn TokenIn address
* @param amountIn Amount of tokenIn, expressed in tokenIn's decimals
* @return amountsOut Amount of tokenOut within LP (market) to be received, expressed in tokenOut's decimals
*/
function getAmountsOut(
address marketToken,
address indexToken,
address longToken,
address shortToken,
address tokenIn,
uint256 amountIn
) public view returns (uint256) {
ISyntheticReader.MarketProps memory _market;
_market.marketToken = marketToken;
_market.indexToken = indexToken;
_market.longToken = longToken;
_market.shortToken = shortToken;
ISyntheticReader.PriceProps memory _indexTokenPrice;
_indexTokenPrice.min = _getTokenPriceMinMaxFormatted(indexToken);
_indexTokenPrice.max = _getTokenPriceMinMaxFormatted(indexToken);
ISyntheticReader.PriceProps memory _longTokenPrice;
_longTokenPrice.min = _getTokenPriceMinMaxFormatted(longToken);
_longTokenPrice.max = _getTokenPriceMinMaxFormatted(longToken);
ISyntheticReader.PriceProps memory _shortTokenPrice;
_shortTokenPrice.min = _getTokenPriceMinMaxFormatted(shortToken);
_shortTokenPrice.max = _getTokenPriceMinMaxFormatted(shortToken);
ISyntheticReader.MarketPrices memory _prices;
_prices.indexTokenPrice = _indexTokenPrice;
_prices.longTokenPrice = _longTokenPrice;
_prices.shortTokenPrice = _shortTokenPrice;
address _uiFeeReceiver = address(0);
// Proper input validation
require(amountIn > 0, "Amount must be greater than 0");
(uint256 _amountsOut,,) = syntheticReader.getSwapAmountOut(
dataStore,
_market,
_prices,
tokenIn,
amountIn,
_uiFeeReceiver
);
return _amountsOut;
}

Impact

The lack of proper input validation and error handling could lead to unexpected behavior or vulnerabilities when unexpected inputs are provided. This may affect the accuracy and reliability of the contract's functions and pose a security risk.

Tools Used

Manual

Recommendations

To address this vulnerability, it is recommended to implement proper error handling and input validation for all functions. Check inputs for validity and handle potential errors gracefully to ensure that the contract can handle unexpected inputs without unexpected behavior.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.