Relevant GitHub Links
Summary
In case if GMXVault mints/burns shares for users, then it should call
mintFee before in order to get correct portion of fee.Vulnerability Details
Steadefi protocol takes management fee from stakers. This fee accrues each second and is some percentage of totalSupply. In order to mint fees, GMXVault.mintFee should be called. Once, it's done, then
_store.lastFeeCollected is updated up to date.Currently
mintFee is called only in 2 places in the code. Once in the deposit and once in the withdraw function. However, minting and burning is not done in any of them. For example, minting of shares is done in the processDeposit function and this function is called after some time, when deposit is called. As result some time already has passed and fees should be accrued. But in current implementation, new shares will be added to the totalSupply and fees will be taken out of them for the time when this shares were not even minted.Same for the withdraw. When withdraw is called, then shares are not burnt. They are burnt inside
processWithdraw function. So in case if burn is done before feeMint is called, then this removed shares doesn't pay management fee.And last place is
GMXEmergency.emergencyWithdraw. This function also burns shares, which means that mintFee should be called before it.Impact
Incorrect fee payment is done, depending on the situation users or protocol will suffer.
Tools Used
VsCode
Recommendations
Consider call
mintFee for all these cases that i have described.