logo
Steadefi Documentation
/
Security
/
Audits
/
Codehawks Public Audit Mitigation Report

L-07. getsAmountsIn in GMXOracle hardcoded 15e14(15bps) for amountsIn would gives wrong amountsIn since GMX market has dynamic impact fee

Submitted by Citris, FalconHoof. Selected submission by: Citris.

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/oracles/GMXOracle.sol#L134

Summary

getsAmountsIn in GMXOracle hardcoded 15e14(15bps) for amountsIn would gives wrong amountsIn since GMX market has dynamic impact fee.
With Reference to GMXv2, they have an impact pool which holds the fund collected from depositor who deposit on the imbalanced side of the market, namely a bigger cumulative vritualBalance. The fee is also documented here
https://github.com/gmx-io/gmx-synthetics/blob/613c72003eafe21f8f80ea951efd14e366fe3a31/contracts/deposit/ExecuteDepositUtils.sol#L130-L134
plain text
MarketUtils.distributePositionImpactPool(
params.dataStore,
params.eventEmitter,
market.marketToken
);
Therefore the getsAmountIn may not be sufficient for the deposit/rebalance, if the the rebalance is done in a while that is against the incurred impact price fee.

Vulnerability Details

Impact

getsAmountsIn hardcoded 15bps for buffer which may not be representative of the dynamic fee implemented in GMXv2.

Tools Used

Recommendations

ImpactPrice calculation can be imported from the PricingUtil.sol in GMXv2 repo.
There is a script to calculate/verify the impact against tradeSize off-chain here
L-02. Lack of events for critical actions
L-10. Chainlink aggregators return the incorrect price if it drops below `minAnswer`
Powered by Notaku
Share
Content
L-07. getsAmountsIn in GMXOracle hardcoded 15e14(15bps) for amountsIn would gives wrong amountsIn since GMX market has dynamic impact fee
Relevant GitHub Links
Summary
Vulnerability Details
Impact
Tools Used
Recommendations