☑️

Codehawks Public Audit Mitigation Report

Name

Severity

Status

Mitigation Review

PR

H-01. Block of GMXVault by using GMX UI fee

High

Done

Verified

main

H-02. try-catch does not store the state when it is reverted

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/11

H-03. `GMXVault` can be blocked by a malicious actor

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/9

H-04. Incorrect Execution Fee Refund address on Failed Deposits or withdrawals in Strategy Vaults

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

H-05. Withdraw function provides more funds to withdrawer

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

H-06. User can revert processWithdraw

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

H-07. Incorrect slippage protection on deposits

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/9

H-08. Yield in trove is lost when closing a strategy vault

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/6

H-09. The `afterWithdrawChecks` applies only if user wants to withdraw in tokenA/B

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/9

H-10. Users withdraw more assets than should when `mintFee` was called long ago

High

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

M-01. The protocol will mint unnecessary fees if the vault is paused and reopened later.

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

M-02. `emergencyPause` does not check the state before running && can cause loss of funds for users

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/13

M-03. Invariant violation (funds could remain in the vault and a depositor could benefit from it)

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/24

M-04. Setter functions for core GMX contracts

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/8

M-05. Emergency Closed Vault Can Be Paused Then Resume

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/13

M-06. The transfer of ERC-20 tokens with blacklist functionality in process functions can lead to stuck vaults

Medium

Acknowledged

Acknowledged

Self accounting needed else acknowledge

M-07. Wrong hardcoded PnL factor is used in all GMXVault add liquidity operations

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/15

M-08. Incorrect depositable shortToken amount calculation in Delta neutral vaults

Medium

Done

Verified

Fixed by our own formula. Already in `main`

M-09. `emergencyClose()` may fail to repay any debt

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/13

M-10. Missing minimum token amounts in the emergency contract functions allows MEV bots to take advantage of the protocols emergency situation

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/9

M-11. re-entrency possible on processWithdraw since external call is made before burning user's shares in Vault

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

M-12. min max price on getMarketTokenPrice is not utilized such that deposit and withdrawal can use the same price, leading to free tx for cost-free manipulation

Medium

Acknowledged

Acknowledged

Acknowledged, won't fix

M-13. Incorrect state transition may cause vault in stuck

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/16

M-14. Chainlinks oracle feeds are not immutable

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/12

M-15. GMXVault can stop working in case if GMX will change `Keys.MAX_CALLBACK_GAS_LIMIT` to smaller than 2 millions

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/7

M-16. Rewards from GMX are sent to Trove only in deposit and withdraw functions

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/24

M-17. In case if withdraw has failed, then processWithdrawFailure will decrease exchange rate of GMXVault shares

Medium

Acknowledged

Acknowledged

Acknowledged; wont fix. Partially mitigated

M-18. All functions that burn or mint shares for user's should mintFee for protocol before

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

M-19. Inaccurate Fee Due to missing lastFeeCollected Update Before feePerSecond Modification

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

M-20. Positions may be liquidated due to incorrect implementation of Oracle logic

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/12

M-21. Token injection leads to unintended behavior of vault

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/24

M-22. Strategy Vault stuck at `withdraw_failed` status if the deposit to `GMX` get Cancelled

Medium

Done

Verified

Partial mitigation by other PRs

M-23. incorrect handling of compound cancelation lead vault to stuck at `compound_failed` status

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/6

M-24. incorrect handling for deposit failure leads to stuck at `deposit_failed` status .

Medium

Acknowledged

Acknowledged

Acknowledged, won't fix

M-25. depositors face immediate loss in case `equity = 0`

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/23

M-26. Front-Run Attacks Due Slippage Mishandling Lead to Total Losses For Depositors

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/22

M-27. Missing fees allow cheap griefing attacks that lead to DoS

Medium

Acknowledged

Acknowledged

Acknowledged

M-28. Users may cost additional interest

Medium

Acknowledged

Acknowledged

Acknowledged, won't fix

M-29. emergencyResume does not handle the afterDepositCancellation case correctly

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/21

M-30. A depositor of the GMXVault can bypass paying the fee when the depositor deposit into the GMXVault.

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

M-31. Setting minSharesAmt high always leads to processDeposit failure

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/18

M-32. The `svTokenValue` function can return overestimated value of each strategy vault share token

Medium

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/10

M-33. The State of the Vault can be stuck for a long period of time

Medium

Acknowledged

Acknowledged

Acknowledged, won't fix

L-01. Rebalance may occur due to wrong requirements check

Low

Done

Verified

Pushed to `main`

L-02. Lack of events for critical actions

Low

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/19

L-03. Wrong errors are used for reverts

Low

Acknowledged

Acknowledged

Acknowledged; wont fix

L-04. Transfer Limit of UNI Tokens May Lead to a DoS and Token Loss Risk

Low

Acknowledged

Acknowledged

Acknowledged, won't fix

L-05. A bad price can be delivered in ChainlinkARBOracle

Low

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/20

L-06. Unsafe Casting performed in the `GMXOracle::_getTokenPriceMinMaxFormatted`

Low

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/20

L-07. getsAmountsIn in GMXOracle hardcoded 15e14(15bps) for amountsIn would gives wrong amountsIn since GMX market has dynamic impact fee

Low

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/20

L-08. Unsafe call to decimals()

Low

Acknowledged

Acknowledged

Acknowledged, won't fix

L-09. Broken `convertToUsdValue` calculation on tokens that have more than 18 decimal places

Low

Done

Verified

Pushed to `main`

L-10. Chainlink aggregators return the incorrect price if it drops below `minAnswer`

Low

Acknowledged

Acknowledged

Acknowledged; won't fix

L-11. Consider erasing cache after completing deposit/withdraw/rebalance/compound operations

Low

Acknowledged

Acknowledged

Acknowledge; won't fix

L-12. Missing chainlink price feed

Low

Acknowledged

Acknowledged

Acknowledged, we will not implement SOL on Avalanche

L-13. Unhandled DoS when access to Chainlink oracle is blocked

Low

Acknowledged

Acknowledged

Acknowledged, won't fix

L-14. `processDeposit()` can cause a DoS if equityAfter is 0 and equityBefore > 0.

Low

Done

Verified

https://github.com/steadefi/steadefi-contracts-v2/pull/23

L-15. ChainlinkARBOracle.consult will revert phase id was increased for chainlink aggregator

Low

Done

Acknowledged

Indirect fix as we do not check previous round anymore

L-16. Failure in emergencyClose results in funds being stuck

Low

Acknowledged

Acknowledged

Acknowledged, won't fix

L-17. GMXOracle.sol#L280: function `getLpTokenAmount` icorrectly assumes that the returned price is in 18 decimal places. But it is 30 decimal places.

Low

Done

Verified

Fixed directly in `main`

L-18. USDC is not valued correctly in case of a depeg, which causes a loss of funds

Low

Acknowledged

Acknowledged

Acknowledged; won't fix

L-19. Some tokens may cause `GMXEmergency:emergencyWithdraw` to revert if the withdrawn amount is 0

Low

Acknowledged

Acknowledged

Acknowledged, won't fix

Audits

H-01. Block of GMXVault by using GMX UI fee

Powered by Notaku

Helpful?