M-18. All functions that burn or mint shares for user's should mintFee for protocol before

Submitted by rvierdiiev.

Relevant GitHub Links


In case if GMXVault mints/burns shares for users, then it should call mintFee before in order to get correct portion of fee.

Vulnerability Details

Steadefi protocol takes management fee from stakers. This fee accrues each second and is some percentage of totalSupply. In order to mint fees, GMXVault.mintFee should be called. Once, it's done, then _store.lastFeeCollected is updated up to date.
Currently mintFee is called only in 2 places in the code. Once in the deposit and once in the withdraw function. However, minting and burning is not done in any of them. For example, minting of shares is done in the processDeposit function and this function is called after some time, when deposit is called. As result some time already has passed and fees should be accrued. But in current implementation, new shares will be added to the totalSupply and fees will be taken out of them for the time when this shares were not even minted.
Same for the withdraw. When withdraw is called, then shares are not burnt. They are burnt inside processWithdraw function. So in case if burn is done before feeMint is called, then this removed shares doesn't pay management fee.
And last place is GMXEmergency.emergencyWithdraw. This function also burns shares, which means that mintFee should be called before it.


Incorrect fee payment is done, depending on the situation users or protocol will suffer.

Tools Used



Consider call mintFee for all these cases that i have described.