ExchangeRouter, Oracle or Reader their addresses will change as new logic is added
Summary
The GMX documentation states:
"If using contracts such as the ExchangeRouter, Oracle, or Reader, do note that their addresses will change as new logic is added."
However, the VaultReader contract references these contracts as properties but does not have a mechanism to update them after initialization. Since VaultReader is not upgradeable, any changes to the referenced contract addresses can cause it to become outdated, leading to potential issues in contract interactions.
https://github.com/gmx-io/gmx-synthetics?tab=readme-ov-file#integration-notes
Vulnerability Details
The VaultReader contract relies on contract addresses that can change over time.
These addresses are set during initialization but cannot be updated later.
This could lead to incorrect data retrieval, broken functionality, or unexpected behaviors in dependent systems.
Impact
Data Inconsistency: VaultReader may fetch outdated or incorrect data.
Loss of Functionality: Contracts relying on VaultReader could break if referenced contracts are updated.
Security Risks: If a new contract version fixes vulnerabilities, VaultReader would remain linked to the insecure version.
Tools Used
Manual review
Recommendations
Implement an Update Mechanism: Allow VaultReader to update its contract references dynamically.
Use a Proxy Pattern: Deploy an upgradeable VaultReader to accommodate future updates.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.