Lows - 4
L-1
Summary
The protocol is not compliant with wired tokens. Particularly fee-on-transfer tokens.
Vulnerability Details
The protocol uses user's input as deposited amount:
Impact
Assets loses
Tools used
Manual Review
Recommendations
Compute the balance before and after transfer and subtract them to get the real amount. Also use nonReentrant while using this to prevent from reentrancy in ERC777 tokens.
L-2
Summary
The protocol is not compliant with tokens which have decimals more than 18.
Vulnerability Details
In the lines below the protocol will always revert for tokens with decimals more than 18.
https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXReader.sol#L67
https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXManager.sol#L198
https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXManager.sol#L208
Impact
Underflow reverts
Tools used
Manual Review
Recommendations
Use division instead of subtracting for decimals normalizing.
L-3
Summary
Useless check
Vulnerability Details
The checks at lines L#252 and L#265 do nothing because uints can’t be less than zero.
Impact
No impact
Tools used
Manual Review
Recommendations
Remove this checks.
L-4
Summary
Underflow in unchecked brackets
Vulnerability Details
There can be underflow in the GMXEmergency.emergencyWithdraw function. This can cause unexpected reveret at the _burn.
Impact
Unexpected insufficient balance error
Tools used
Manual Review
Recommendations
I suppose there is no need in gas economy:
Lead Judging Commences
INFO: Unnecessary maxDelay/maxDeviation check
Redundant check on maxDelay and/or maxDeviation in ARBOracle
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.