Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Swap Rejection Due to Invalid Deadline in Emergency Close

hunter_w3b

Summary

The emergencyClose() function allows the caller to specify a deadline by which any necessary swap calls must complete. However, it does not check if the provided deadline has already passed.

Vulnerability Details

An attacker could call emergencyClose() with a deadline in the past, causing valid swaps made by the function to incorrectly fail due to the invalid deadline. This could prevent borrow positions from being properly unwound.

function emergencyClose(

GMXTypes.Store storage self,

uint256 deadline

) external {

GMXChecks.beforeEmergencyCloseChecks(self);

// Repay all borrowed assets; 1e18 == 100% shareRatio to repay

GMXTypes.RepayParams memory _rp;

(

_rp.repayTokenAAmt,

_rp.repayTokenBAmt

) = GMXManager.calcRepay(self, 1e18);

(

bool _swapNeeded,

address _tokenFrom,

address _tokenTo,

uint256 _tokenToAmt

) = GMXManager.calcSwapForRepay(self, _rp);

if (_swapNeeded) {

ISwap.SwapParams memory _sp;

_sp.tokenIn = _tokenFrom;

_sp.tokenOut = _tokenTo;

_sp.amountIn = IERC20(_tokenFrom).balanceOf(address(this));

_sp.amountOut = _tokenToAmt;

_sp.slippage = self.minSlippage;

_sp.deadline = deadline;

GMXManager.swapTokensForExactTokens(self, _sp);

}

GMXManager.repay(

self,

_rp.repayTokenAAmt,

_rp.repayTokenBAmt

);

self.status = GMXTypes.Status.Closed;

emit EmergencyClose(

_rp.repayTokenAAmt,

_rp.repayTokenBAmt

);

}

Reproduction Steps:

Caller invokes emergencyClose(), specifying a deadline timestamp from the past
Function performs swap calls with the expired deadline
Swap calls incorrectly fail due to the invalid deadline

Impact

Borrow positions may not fully repay due to rejected swaps

Tools Used

Manual Review

Recommendations

Add validation that the provided deadline is after the current timestamp before using it for swaps. This ensures swaps will not erroneously fail due to an already-expired deadline.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.