AutoPxGmx rewards can be drained #142
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-137
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGmx.sol#L242-L247
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexRewards.sol#L373
Vulnerability details
Impact
Vault rewards may be drained through a combination of
claimRewards()
,compound()
, and uniswap trades by the attacker.Proof of Concept
claimRewards({producerToken: WETH, user: vault})
to get WETH into the vault.compound({fee: poolFee, amountOutMinimum: 1, sqrtPriceLimitX96: 0, optOutIncentive: true})
. The attacker sandwiches this transaction with two transactions which purchase and sell WETH.Recommended Mitigation Steps
Only allow
compound()
to be called by trusted operators. Additionally, consider calculating amountOutMinimum based on chainlink oracle prices.The text was updated successfully, but these errors were encountered: