search

code-423n4 / 2022-11-redactedcartel-findings

3 stars 2 forks source link

Contract `AutoPxGlp`: Any user can exploit compound incentive rewards by calling `AutoPxGlp.compound()` #333

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGlp.sol#L210-L296

Vulnerability details

Impact

In Contract AutoPxGlp, any account can exploit incentive rewards by calling compound(1, 1, false).

Proof of Concept

AutoPxGlp.compound() is a public function without any guard. Any account may get incentive rewards if calling autoPxGlp.compound(1, 1, false) (i.e. opt in incentive option). Especially with front-running by monitoring transactions (in mempool) that will trigger compound() (i.e. depositFsGlp(), depositGlpETH(), depositGlp(), redeem(), withdraw(), and compound()), an attacker can get a stream of incentive rewards.

Tools Used

Manual audit.

Recommended Mitigation Steps

Changing the function visibility from global to internal, or setting some guards on the function call, e.g. only the owner of the contract, or only the owners of GMX/GLP/pxGmx... can call the function, depending on the strategies of system design.

Picodes commented 1 year ago

This is the intended design. Front-running is indeed possible but could be mitigated with private rpc like flashbot.

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-11-redactedcartel-findings/issues/330