Liquidity Management

Summary

The contracts in GmxProxy.sol and ParaSwapUtils.sol use deprecated functions from the OpenZeppelin library, specifically the safeApprove() function from IERC20. OpenZeppelin has deprecated this function in favor of a safer and more efficient approach, as safeApprove() can lead to potential issues when used incorrectly in certain scenarios. It is recommended to update to the newer functions provided by OpenZeppelin to ensure safer and more reliable code.

Vulnerability Details

The safeApprove() function is deprecated because it can lead to unexpected behavior when used to change the allowance of tokens. The OpenZeppelin library now recommends using the increaseAllowance() and decreaseAllowance()functions for managing token allowances, rather than calling approve() directly or using the deprecated safeApprove().

Found Instances:

1. GmxProxy.sol - Line 406:

   `IERC20(orderData.initialCollateralToken).safeApprove(...); `  

• The function safeApprove() is used to approve token allowances. This function is now deprecated due to its potential risks.

2. ParaSwapUtils.sol - Line 23:

• Similarly, this line uses safeApprove() to approve the transfer of tokens, which is also deprecated and should be replaced.

Impact

• Security Risks: The use of deprecated functions introduces the possibility of issues such as race conditions or unexpected behaviors when interacting with token allowances. This can lead to vulnerabilities like the inability to properly reset allowances, increasing the chances of an attack.

• Compatibility Issues: Deprecated functions may eventually be removed in future OpenZeppelin versions, making the contract incompatible with newer versions of the library, thus requiring refactoring.

• Outdated Practices: Using deprecated functions could be seen as poor coding practice, reducing the overall security and maintainability of the contract.

Tools Used

• Static Analysis: This issue was identified using static code analysis tools (e.g., Slither, MythX, or CodeQL) that flag deprecated function usage from libraries like OpenZeppelin.

Recommendations

1. Use increaseAllowance() and decreaseAllowance():

   • Replace calls to safeApprove() with increaseAllowance() and decreaseAllowance(), as these are the recommended methods for safely adjusting token allowances.

   Example:

   `IERC20(orderData.initialCollateralToken).increaseAllowance(spender, amount); `  

2. Review Other Instances:

   • Check the rest of the contract code to ensure there are no other instances of deprecated functions being used. Update them accordingly to the latest OpenZeppelin best practices.

3. Update OpenZeppelin Library:

   • Ensure that your OpenZeppelin contracts are up to date to avoid using deprecated or outdated functions. Regularly check the OpenZeppelin documentation for updates and best practices.

4. Test Thoroughly:

   • After making the necessary changes, ensure that the contract behaves correctly with the new functions. Test for edge cases, especially related to allowance management, to ensure no unintended behavior occurs.

5. Stay Updated:

   • Continuously monitor for updates in the OpenZeppelin library, especially with regards to token handling functions, to ensure your code remains secure and up-to-date.