search

sherlock-audit / 2023-01-sentiment-judging

2 stars 0 forks source link

ck - `GLP` has a 15 minute cooldown after purchase that is not accounted for #17

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

ck

medium

GLP has a 15 minute cooldown after purchase that is not accounted for

Summary

PLVGLPController manages the deposit of sGLP for the Plutus GLP Vault. Deposits will fail unless 15 minutes have passed after every purchase of sGLP.

Vulnerability Detail

According to Plutus Docs, "After buying GLP there is a 15 minute cooldown before being able to deposit for plvGLP". This is due to functionality built directly into GLP - https://plutusdao-1.gitbook.io/plutus-docs/products/plvassets/plvglp.

PLVGLPController has no checks for this and will therefore return true for the canCall function even when the 15 minute cooldown hasn't passed.

     function canCall(address, bool, bytes calldata data)
        external
        view
        returns (bool, address[] memory, address[] memory)
    {
        bytes4 sig = bytes4(data);

        if (sig == DEPOSIT || sig == DEPOSIT_ALL) {
            return (true, PLVGLP, sGLP);
        }

Impact

Operations involve sGLP are likely to constantly fail within the cooldown periods.

Code Snippet

https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/plutus/PLVGLPController.sol#L48-L64

Tool used

Manual Review

Recommendation

Implement a timestamp check whenever sGLP is purchased by an account. This timestamp can then be used to check whether 15 minutes have passed before a further transfer of the sGLP is done.

r0ohafza commented 1 year ago

The GMX team has removed the 15 min cooldown period on GLP, please refer to this article: https://medium.com/@gmx.io/gmx-deployment-updates-nov-2022-16572314874d