search

code-423n4 / 2022-11-redactedcartel-findings

3 stars 2 forks source link

Contract `AutoPxGmx`: Any user can exploit compound incentive rewards by calling `AutoPxGmx.compound()` #335

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGmx.sol#L242-L313

Vulnerability details

Impact

In Contract AutoPxGmx, any account may get incentive rewards by calling compound(poolFee, 1, 0, false).

Proof of Concept

AutoPxGmx.compound() is a public function without any guard. Any account (who does not have be a Priex user) my get incentive rewards if calling autoPxGmx.compound(poolFee, 1, 0, false) (i.e. opt in incentive option). Especially with front-running by monitoring transactions (in mempool) that will trigger compound() (i.e. depositFsGmx(), redeem(), withdraw(), and compound()), an attacker can get a stream of incentive rewards.

Tools Used

Manual audit.

Recommended Mitigation Steps

Changing the function visibility from global to internal, or setting some guards on the function call, e.g. only the owner of the contract, or only the owners of GMX/GLP/pxGmx... can call the function, depending on the strategies of system design.

Picodes commented 1 year ago

This is the desired behavior as these incentives are meant to compensate for the gas fees. As for the front-running risk, this is a drawback of making the function permissionless and could be managed with private rpcs

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-11-redactedcartel-findings/issues/330