sherlock-audit / 2023-01-sentiment-judging

2 stars 0 forks source link

ctf_sec - Redeem on GMX can be blocked because of cooldown duration limit on redeem and unstake on GMX side #32

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

ctf_sec

high

Redeem on GMX can be blocked because of cooldown duration limit on redeem and unstake on GMX side

Summary

Redeem on GMX can be blocked because of cooldown duration limit on redeem and unstake on GMX side

Vulnerability Detail

In the current integration, the code integrate with the GMX reward router integrate with 4 methods:

/// @notice mintAndStakeGlpETH(uint256 _minUsdg,uint256 _minGlp)
bytes4 constant mintAndStakeGlpETH = 0x53a8aa03;

/// @notice mintAndStakeGlp(address _token,uint256 _amount,uint256 _minUsdg,uint256 _minGlp)
bytes4 constant mintAndStakeGlp = 0x364e2311;

/// @notice unstakeAndRedeemGlp(address _tokenOut,uint256 _glpAmount,uint256 _minOut,address _receiver)
bytes4 constant unstakeAndRedeemGlp = 0x0f3aa554;

/// @notice unstakeAndRedeemGlpETH(uint256,uint256,address)
bytes4 constant unstakeAndRedeemGlpETH = 0xabb5e5e2;

However, according to the documentation of the GMX:

https://gmxio.gitbook.io/gmx/contracts#transferring-staked-glp

Since there is a 15 min cooldown duration after minting GLP,

The 'GlpManager' contract of GMX has a 'cooldownDuration' limit on redeem/unstake ('_removeLiquidity()'). While there is at least one deposit/stake ('_addLiquidity()') operation in the past 'cooldownDuration' time, redemption would fail. Obviously this limitation is user-based, and 'PirexGmx' contract is one such user.

https://github.com/gmx-io/gmx-contracts/blob/c3618b0d6fc1b88819393dc7e6c785e32e78c72b/contracts/core/GlpManager.sol#L234

Current setting of 'cooldownDuration' is 15 minutes, the max value is 2 days.

Due to this limit, a user can keep deposit and mint for 1 WEI and block deposit.

Impact

UnStakeAndRedeem function can be blocked because of the GMX cooldown period.

Code Snippet

https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/gmx/RewardRouterV2Controller.sol#L52

Tool used

Manual Review

Recommendation

We canCall function should not only check if the signature match but also should check if the last deposit timestamp to make sure no malicious user keep calling the stake with small amount to block redeem function.

r0ohafza commented 1 year ago

The GMX team has removed the 15 min cooldown period on GLP, please refer to this article: https://medium.com/@gmx.io/gmx-deployment-updates-nov-2022-16572314874d