Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

No functionality to update Governance Fee

secret__one

Summary

The documentation specifies that governanceFee should range between 100 and 2000 (1% to 20%), but in the initialize function, it’s fixed at 500 (5%) with no option to update it later. This limitation directly affects the protocol’s ability to adapt, impacting its core functionality.

Vulnerability Details

In the perpetual vault contract, the governanceFee is set to 500 during deployment in the initialize function. However, there’s no mechanism for the admin to modify this value afterward.

/**
* @notice
* `collateralToken` can be ETH, WETH, BTC, LINK, UNI, USDC, USDT, DAI, FRAX.
* @param _market address of GMX market
* @param _keeper keeper address
* @param _treasury fee receiver
* @param _gmxProxy address of GMXUtils contract
* @param _minDepositAmount minimum deposit amount
* @param _maxDepositAmount maximum deposit amount
*/
function initialize(
address _market,
address _keeper,
address _treasury,
address _gmxProxy,
address _vaultReader,
uint256 _minDepositAmount,
uint256 _maxDepositAmount,
uint256 _leverage
) external initializer {
__Ownable2Step_init();
__ReentrancyGuard_init();
if (
_market == address(0) ||
_gmxProxy == address(0) ||
_keeper == address(0) ||
_vaultReader == address(0) ||
_treasury == address(0)
) {
revert Error.ZeroValue();
}
market = _market;
IGmxProxy(_gmxProxy).setPerpVault(address(this), market);
gmxProxy = IGmxProxy(_gmxProxy);
MarketProps memory marketInfo = IVaultReader(_vaultReader).getMarket(market);
indexToken = marketInfo.indexToken;
collateralToken = IERC20(marketInfo.shortToken);
keeper = _keeper;
treasury = _treasury;
vaultReader = IVaultReader(_vaultReader);
governanceFee = 500; // 5%
minDepositAmount = _minDepositAmount;
maxDepositAmount = _maxDepositAmount;
callbackGasLimit = 2_000_000;
positionIsClosed = true;
lockTime = 7 * 24 * 3600; // 1 week
leverage = _leverage;
}

Impact

The governanceFee is a vital parameter for managing the protocol and incentivizing users. In critical market situations, adjusting this value is essential to maintain the protocol’s health, but the current lack of an update mechanism hinders this flexibility, potentially affecting its sustainability and user engagement. {High Impact, low likelihood}

Tools Used

Manual Review

Recommendations

Add function inside perpetual vault to update the governace Fee with the admin privalige.

function setGovernanceFee(uint256 _newFee) external onlyOwner {
require(_newFee >= 100 && _newFee <= 2000, "Fee must be between 1% and 20%");
governanceFee = _newFee;
}
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Appeal created

secret__one Submitter
9 months ago
n0kto Lead Judge
9 months ago
n0kto Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!