Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of msg.sender Validation in Callbacks

hunter_w3b

Summary

The GMX callback functions do not validate the msg.sender address, relying only on the GMX system to call from expected sources. This could allow spoofing of valid callback calls.

Vulnerability Details

In functions like afterDepositExecution(), no check is made that msg.sender actually corresponds to the GMX controller/handler contract.

function afterDepositExecution(

bytes32 depositKey,

IDeposit.Props memory /* depositProps */,

IEvent.Props memory /* eventData */

) external onlyController {

GMXTypes.Store memory _store = vault.store();

if (

_store.status == GMXTypes.Status.Deposit &&

_store.depositCache.depositKey == depositKey

) {

vault.processDeposit();

} else if (

_store.status == GMXTypes.Status.Rebalance_Add &&

_store.rebalanceCache.depositKey == depositKey

) {

vault.processRebalanceAdd();

} else if (

_store.status == GMXTypes.Status.Compound &&

_store.compoundCache.depositKey == depositKey

) {

vault.processCompound();

} else if (

_store.status == GMXTypes.Status.Withdraw_Failed &&

_store.withdrawCache.depositKey == depositKey

) {

vault.processWithdrawFailureLiquidityAdded();

} else if (_store.status == GMXTypes.Status.Resume) {

// This if block is to catch the Deposit callback after an

// emergencyResume() to set the vault status to Open

vault.processEmergencyResume();

}

An attacker could potentially craft a transaction from any address calling these functions directly.As written, there is nothing stopping a spoofing attack where callbacks are falsely triggered in situations they should not be.

Impact

A spoofing attack could allow triggering vault state transitions out of expected ordering. This risks fund security.
Invalid status updates may occur if callback requirements aren't correctly met due to spoofing. Over time, desynchronization between on-chain state and real-world orders/fills could result from spoofed callbacks affecting auditability.

Tools Used

Manual Review

Recommendations

Validate msg.sender corresponds to expected GMX controller by address or signature or Integrate callback source validation as part of general vault state transition management.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.