Codehawks Public Audit Mitigation Report
Name
Severity
Status
Mitigation Review
PR
H-02. try-catch does not store the state when it is reverted
High
Done
Verified
H-03. `GMXVault` can be blocked by a malicious actor
High
Done
Verified
H-04. Incorrect Execution Fee Refund address on Failed Deposits or withdrawals in Strategy Vaults
High
Done
Verified
H-05. Withdraw function provides more funds to withdrawer
High
Done
Verified
H-06. User can revert processWithdraw
High
Done
Verified
H-07. Incorrect slippage protection on deposits
High
Done
Verified
H-08. Yield in trove is lost when closing a strategy vault
High
Done
Verified
H-09. The `afterWithdrawChecks` applies only if user wants to withdraw in tokenA/B
High
Done
Verified
H-10. Users withdraw more assets than should when `mintFee` was called long ago
High
Done
Verified
M-01. The protocol will mint unnecessary fees if the vault is paused and reopened later.
Medium
Done
Verified
M-02. `emergencyPause` does not check the state before running && can cause loss of funds for users
Medium
Done
Verified
M-03. Invariant violation (funds could remain in the vault and a depositor could benefit from it)
Medium
Done
Verified
M-04. Setter functions for core GMX contracts
Medium
Done
Verified
M-05. Emergency Closed Vault Can Be Paused Then Resume
Medium
Done
Verified
M-06. The transfer of ERC-20 tokens with blacklist functionality in process functions can lead to stuck vaults
Medium
Acknowledged
Acknowledged
M-07. Wrong hardcoded PnL factor is used in all GMXVault add liquidity operations
Medium
Done
Verified
M-08. Incorrect depositable shortToken amount calculation in Delta neutral vaults
Medium
Done
Verified
M-09. `emergencyClose()` may fail to repay any debt
Medium
Done
Verified
M-10. Missing minimum token amounts in the emergency contract functions allows MEV bots to take advantage of the protocols emergency situation
Medium
Done
Verified
M-11. re-entrency possible on processWithdraw since external call is made before burning user's shares in Vault
Medium
Done
Verified
M-12. min max price on getMarketTokenPrice is not utilized such that deposit and withdrawal can use the same price, leading to free tx for cost-free manipulation
Medium
Acknowledged
Acknowledged
M-13. Incorrect state transition may cause vault in stuck
Medium
Done
Verified
M-14. Chainlinks oracle feeds are not immutable
Medium
Done
Verified
M-15. GMXVault can stop working in case if GMX will change `Keys.MAX_CALLBACK_GAS_LIMIT` to smaller than 2 millions
Medium
Done
Verified
M-16. Rewards from GMX are sent to Trove only in deposit and withdraw functions
Medium
Done
Verified
M-17. In case if withdraw has failed, then processWithdrawFailure will decrease exchange rate of GMXVault shares
Medium
Acknowledged
Acknowledged
M-18. All functions that burn or mint shares for user's should mintFee for protocol before
Medium
Done
Verified
M-19. Inaccurate Fee Due to missing lastFeeCollected Update Before feePerSecond Modification
Medium
Done
Verified
M-20. Positions may be liquidated due to incorrect implementation of Oracle logic
Medium
Done
Verified
M-21. Token injection leads to unintended behavior of vault
Medium
Done
Verified
M-22. Strategy Vault stuck at `withdraw_failed` status if the deposit to `GMX` get Cancelled
Medium
Done
Verified
M-23. incorrect handling of compound cancelation lead vault to stuck at `compound_failed` status
Medium
Done
Verified
M-24. incorrect handling for deposit failure leads to stuck at `deposit_failed` status .
Medium
Acknowledged
Acknowledged
M-25. depositors face immediate loss in case `equity = 0`
Medium
Done
Verified
M-26. Front-Run Attacks Due Slippage Mishandling Lead to Total Losses For Depositors
Medium
Done
Verified
M-27. Missing fees allow cheap griefing attacks that lead to DoS
Medium
Acknowledged
Acknowledged
M-29. emergencyResume does not handle the afterDepositCancellation case correctly
Medium
Done
Verified
M-30. A depositor of the GMXVault can bypass paying the fee when the depositor deposit into the GMXVault.
Medium
Done
Verified
M-31. Setting minSharesAmt high always leads to processDeposit failure
Medium
Done
Verified
M-32. The `svTokenValue` function can return overestimated value of each strategy vault share token
Medium
Done
Verified
M-33. The State of the Vault can be stuck for a long period of time
Medium
Acknowledged
Acknowledged
L-02. Lack of events for critical actions
Low
Done
Verified
L-04. Transfer Limit of UNI Tokens May Lead to a DoS and Token Loss Risk
Low
Acknowledged
Acknowledged
L-05. A bad price can be delivered in ChainlinkARBOracle
Low
Done
Verified
L-06. Unsafe Casting performed in the `GMXOracle::_getTokenPriceMinMaxFormatted`
Low
Done
Verified
L-07. getsAmountsIn in GMXOracle hardcoded 15e14(15bps) for amountsIn would gives wrong amountsIn since GMX market has dynamic impact fee
Low
Done
Verified
L-09. Broken `convertToUsdValue` calculation on tokens that have more than 18 decimal places
Low
Done
Verified
L-10. Chainlink aggregators return the incorrect price if it drops below `minAnswer`
Low
Acknowledged
Acknowledged
L-11. Consider erasing cache after completing deposit/withdraw/rebalance/compound operations
Low
Acknowledged
Acknowledged
L-12. Missing chainlink price feed
Low
Acknowledged
Acknowledged
L-13. Unhandled DoS when access to Chainlink oracle is blocked
Low
Acknowledged
Acknowledged
L-14. `processDeposit()` can cause a DoS if equityAfter is 0 and equityBefore > 0.
Low
Done
Verified
L-15. ChainlinkARBOracle.consult will revert phase id was increased for chainlink aggregator
Low
Done
Acknowledged
L-16. Failure in emergencyClose results in funds being stuck
Low
Acknowledged
Acknowledged
L-17. GMXOracle.sol#L280: function `getLpTokenAmount` icorrectly assumes that the returned price is in 18 decimal places. But it is 30 decimal places.
Low
Done
Verified
L-18. USDC is not valued correctly in case of a depeg, which causes a loss of funds
Low
Acknowledged
Acknowledged
L-19. Some tokens may cause `GMXEmergency:emergencyWithdraw` to revert if the withdrawn amount is 0
Low
Acknowledged
Acknowledged