search

code-423n4 / 2022-11-redactedcartel-findings

3 stars 2 forks source link

`compound` could be used by uniswap stakers to maximize fees for AutoPxGmx users #391

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGmx.sol#L243

Vulnerability details

Impact

Anyone can call AutoPxGmx::compound. Hence a staker in the 10000 (1% fee) uniswap pool can call compound with that pool and take a larger fee from AutoPxGmx users maximizing their gains and griefing users.

Proof of Concept

fee chooses which uniswap pool to use for trading reward weth for gmx, which is then used for more staking:

vaults/AutoPxGmx.sol:

242:    function compound(
243:        uint24 fee,
244:        uint256 amountOutMinimum,
245:        uint160 sqrtPriceLimitX96,
246:        bool optOutIncentive
247:    )

Since fee is a parameter that the caller chooses a staker in the 1% fee gmx-weth uniswap pool can front run or just periodically call AutoPxGmx::compound to maximize their gains and also grief AutoPxGmx users.

Tools Used

vs code

Recommended Mitigation Steps

Use the fee poolFee which is used when compound is automatically called from other functions in the contract.

0ximmeas commented 2 years ago

duplicate of #346

c4-judge commented 1 year ago

Picodes marked the issue as nullified

c4-judge commented 1 year ago

Picodes marked the issue as not nullified

c4-judge commented 1 year ago

Picodes marked the issue as primary issue

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #91

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory

c4-judge commented 1 year ago

Picodes marked the issue as partial-50