The protocol is not compliant with wired tokens. Particularly fee-on-transfer tokens.
The protocol uses user's input as deposited amount:
Assets loses
Manual Review
Compute the balance before and after transfer and subtract them to get the real amount. Also use nonReentrant while using this to prevent from reentrancy in ERC777 tokens.
The protocol is not compliant with tokens which have decimals more than 18.
In the lines below the protocol will always revert for tokens with decimals more than 18.
https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXReader.sol#L67
https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXManager.sol#L198
https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXManager.sol#L208
Underflow reverts
Manual Review
Use division instead of subtracting for decimals normalizing.
Useless check
The checks at lines L#252 and L#265 do nothing because uints can’t be less than zero.
No impact
Manual Review
Remove this checks.
Underflow in unchecked brackets
There can be underflow in the GMXEmergency.emergencyWithdraw
function. This can cause unexpected reveret at the _burn
.
Unexpected insufficient balance error
Manual Review
I suppose there is no need in gas economy:
Redundant check on maxDelay and/or maxDeviation in ARBOracle
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.