Liquidity Management

Summary

The functions withdrawEth() in GmxProxy.sol and deposit() in PerpetualVault.sol send ETH away from the contract without performing adequate checks on the msg.sender. This lack of validation could allow malicious actors to exploit the contract and transfer ETH to unintended addresses.

Vulnerability Details

The identified vulnerability is the lack of checks on the msg.sender or any other recipient validation. This allows an attacker to potentially bypass intended logic, causing funds to be transferred to unauthorized addresses. This is a common issue when sending ETH in a contract without proper verification or validation of the recipient address.

Found Instances:

1. GmxProxy.sol - withdrawEth() (Line 539)

   • The function transfers ETH out of the contract but does not validate the recipient address before doing so.

2. PerpetualVault.sol - deposit() (Line 215)

   • Although the function handles deposits, it may allow unintended users or addresses to deposit ETH into the contract without proper checks.

Impact

• Unauthorized Transactions: Malicious actors could exploit these functions to withdraw or deposit ETH to/from unauthorized addresses.

• Fund Loss: If the contract owner’s address is not properly validated, an attacker could potentially redirect funds meant for the contract owner or other parties.

• Security Risk: This vulnerability may allow attackers to manipulate the contract’s expected flow, leading to fund theft or improper contract behavior.

Tools Used

Static Analysis: The vulnerability was detected using static code analysis tools (e.g.,Aderyn , Slither, MythX, or CodeQL) to check for the absence of appropriate checks on addresses.

Recommendations

Implement Checks for msg.sender:

• Ensure that the msg.sender is the authorized user (such as the contract owner) before allowing withdrawal or deposit operations. You can add modifier checks like onlyOwner for owner-specific operations.

• Address Validation:

  • For functions involving transfers of ETH, introduce checks that ensure the intended recipient address is valid and authorized.

• Restrict Unauthorized Withdrawals:

  • Prevent any action from being executed unless it is from a trusted or whitelisted address to avoid unauthorized interactions.

• Test Thoroughly:

  • Ensure the contract undergoes thorough testing, including boundary conditions to validate the correct behavior of address checks and funds transfers.