Open sherlock-admin opened 1 year ago
caventa
medium
There is no market enabled validation in Swap and CreateAdl activities.
Controller may execute activities for disabled market in Swaphandler and CreateAdlHandler
Activities can still be performed on an disabled market
https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/swap/SwapUtils.sol#L98-L149 https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/swap/SwapUtils.sol#L158-L318 https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/adl/AdlUtils.sol#L125-L173
Manual Review
Add the similar following code
Market.Props memory _market = MarketUtils.getEnabledMarket(dataStore, market);
to swap and createAdl
for ADL, the market is validated in _getExecuteOrderParams called after AdlUtils.createAdlOrder
for swaps, the swap path is fetched with getEnabledMarkets before calling the swap function
caventa
medium
There is no market enabled validation in Swap and CreateAdl activities
Summary
There is no market enabled validation in Swap and CreateAdl activities.
Vulnerability Detail
Controller may execute activities for disabled market in Swaphandler and CreateAdlHandler
Impact
Activities can still be performed on an disabled market
Code Snippet
https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/swap/SwapUtils.sol#L98-L149 https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/swap/SwapUtils.sol#L158-L318 https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/adl/AdlUtils.sol#L125-L173
Tool used
Manual Review
Recommendation
Add the similar following code
to swap and createAdl