PirexGMX can be permanatly DOS'd due to 15 minute cooldown applied by GMX after staking #110
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-113
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexGmx.sol#L615-L674
Vulnerability details
##Summary
GMX applies a 15 minute cooldown to users/contracts after they stake an underlying asset for GLP. During this period both transferFrom and unstake are unavailable. PirexGMX only allows the user to redeem their pxGLP for GLP underlying assets and never directly for GLP. Due to this an adversary can DOS withdrawing from the PirexGMX contract by depositing assets every 15 mintutes.
Impact
Users will be unable to withdraw their pxGLP
Proof of Concept
Each time a user calls
depositGlp
ordepositGlpETH
the constituent assets are transferred toPirexGMX
and stake via thegmxRewardRouterV2#mintAndStakeGlpETH
GMXRewardRouterV2
Inside
mintAndStakeGlpETH
the underlying asset is converted to glp viaglpManger#addLiquidityForAccount
.(GLPManager)[https://arbiscan.io/address/0x321F653eED006AD1C29D174e17d96351BDe22649#code#L913]
The nitty gritty of the conversion happens here and
lastAddedAt[_account]
is update toblock.timestamp
, which is where the issue lies.When a user wishes to redeem their pxGLP they are force to unstake the underlying GLP which requires that the cooldown duration has expired. An adversary can exploit this to make it impossible to withdraw. By repeatedly making small deposits, they can keep refreshing
lastAddedAt[_account]
, causing every withdraw attempt to revert and trapping users.Tools Used
Manual Review
Recommended Mitigation Steps
My first recommendation would be to allow users to redeem their pxGLP directly for GLP. My second recommendation would be to remove the ability to directly stake constituent assets. Create batching contracts that collects user deposits and batch stakes. Make one for each asset and track balances internally until they can be deposited into the PirexGMX and then users can claim their pxGLP after their batch is staked and deposited.
The text was updated successfully, but these errors were encountered: