Submitted by ElHaj, FalconHoof, 0xCiphky, SBSecurity, NeverGonnaGiveYulUp. Selected submission by: FalconHoof.

Relevant GitHub Links

Summary

GMX docs state that their ExchangeRouter and GMXOracle contracts will change as new logic is added. Therefore setter functions should be added to GMXVault.sol to be able to update the state variables storing those addressed when the need arises.

Vulnerability Details

From the GMX docs:
plain text
If using contracts such as the ExchangeRouter, Oracle or Reader do note that their addresses will change as new logic is added

Impact

Not being able to use the ExchangeRouter and GMXOracle contracts the protocol would effectively be unusable given their importance.

Tools Used

Manual Review

Recommendations

Create setter functions in GMXVault.sol as below:
plain text
function updateExchangeRouter(address exchangeRouter) external onlyOwner { _store.exchangeRouter = exchangeRouter; emit ExchangeRouterUpdated(exchangeRouter); } function updateGMXOracle(address gmxOracle) external onlyOwner { _store.gmxOracle = gmxOracle; emit GMXOracleUpdated(gmxOracle); }