Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The address of GmxReader can not be updated in VaultReader.sol

mrkaplan

Vulnerability details

VaultReader.sol sets the address of the GMX reader in its constructor.

constructor(
address _orderHandler,
address _dataStore,
address _orderVault,
address _reader,
address _referralStorage
) {
orderHandler = _orderHandler;
dataStore = IDataStore(_dataStore);
orderVault = address(_orderVault);
@> gmxReader = IGmxReader(_reader);
referralStorage = address(_referralStorage);
}

According to integration notes of GMX:

If using contracts such as the ExchangeRouter, Oracle or Reader do note that their addresses will change as new logic is added

The issue is that this address cannot be updated after deployment. This introduces a risk, if the address of the GmxReader changes, the protocol will start using GMX outdated functionality. As this contract is responsible for extracting information from GMX to the protocol's critical functions, this extracted information can be wrong, rendering the protocol useless.

Root cause

  • Inability to update the address of GmxReader.

Impact

  • Use outdated functionality.

  • Use of wrong values.

Tools used

Manual review

Recommendations

Add a function that enables to update the address of the Reader.

Updates

Lead Judging Commences

n0kto Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.