logo
Submitted by ElHaj, FalconHoof, 0xCiphky, SBSecurity, NeverGonnaGiveYulUp. Selected submission by: FalconHoof.

Relevant GitHub Links

https://github.com/gmx-io/gmx-synthetics#known-issues

Summary

GMX docs state that their ExchangeRouter and GMXOracle contracts will change as new logic is added. Therefore setter functions should be added to GMXVault.sol to be able to update the state variables storing those addressed when the need arises.

Vulnerability Details

From the GMX docs:
plain text
If using contracts such as the ExchangeRouter, Oracle or Reader do note that their addresses will change as new logic is added

Impact

Not being able to use the ExchangeRouter and GMXOracle contracts the protocol would effectively be unusable given their importance.

Tools Used

Manual Review

Recommendations

Create setter functions in GMXVault.sol as below:
plain text
function updateExchangeRouter(address exchangeRouter) external onlyOwner {
_store.exchangeRouter = exchangeRouter;
emit ExchangeRouterUpdated(exchangeRouter);
}

function updateGMXOracle(address gmxOracle) external onlyOwner {
_store.gmxOracle = gmxOracle;
emit GMXOracleUpdated(gmxOracle);
}
M-17. In case if withdraw has failed, then processWithdrawFailure will decrease exchange rate of GMXVault shares
L-04. Transfer Limit of UNI Tokens May Lead to a DoS and Token Loss Risk
Powered by Notaku
Share
Content
M-04. Setter functions for core GMX contracts
Relevant GitHub Links
Summary
Vulnerability Details
Impact
Tools Used
Recommendations