Functions send eth away from contract but performs no checks on any address
Summary
Consider introducing checks for msg.sender to ensure the recipient of the money is as intended.
Vulnerability Details
Found in
contracts/GmxProxy.sol ``Line: 539
Found in
contracts/PerpetualVault.sol ``Line: 215
Impact
Add recipient address validation checks
Potential loss of funds if ETH is sent to incorrect/malicious addresses
Risk of permanent fund lock if sent to unusable addresses
No validation could lead to unauthorized withdrawals
Recommendations
Add recipient address validation checks
Implement address whitelisting for withdrawals
Add zero-address checks
Consider using a multi-signature mechanism for large withdrawals
Add event emissions for transfer tracking
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.