logo
Steadefi Documentation
/
Security
/
Audits
/
Codehawks Public Audit Mitigation Report

M-16. Rewards from GMX are sent to Trove only in deposit and withdraw functions

Submitted by rvierdiiev.

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXDeposit.sol#L61-L66

Summary

As protocol doesn't collect rewards from GMX in each function, these rewards can be sent to the user.

Vulnerability Details

Each deposit, tokenA and tokenB balance is sent to the Trove. The same is done for the withdraw.
This is because protocol expects to receive rewards from GMX in form of these tokens. So amount is sent to the Trove function, so later it can be compounded.
The problem is that deposit and withdraw functions are not the only entry point that can send these rewards to user. For example, processDepositFailureLiquidityWithdrawal function will send whole balance to the user after repay is done. Another example inside processDepositCancellation function, in case if depositParams.token is native, then whole balance is sent to user.
As after deposit or withdraw request was done, there is some delay, then during that delay rewards can come and they can be sent to the user.

Impact

Rewards are not sent to the Trove, but to the user.

Tools Used

VsCode

Recommendations

I can't give good recommendation for all that cases, as GMXCallback is triggered by GMX and you can't know exactly which amount was sent. But for processDepositCancellation function, you should not sent more than self.depositCache.depositParams.amt. So do not withdraw whole balance, but that amount.
M-06. The transfer of ERC-20 tokens with blacklist functionality in process functions can lead to stuck vaults
M-33. The State of the Vault can be stuck for a long period of time
Powered by Notaku
Share
Content
M-16. Rewards from GMX are sent to Trove only in deposit and withdraw functions
Relevant GitHub Links
Summary
Vulnerability Details
Impact
Tools Used
Recommendations