there is a 15 min cooldown duration after minting GLP in GMX, user can DOS (block) the PirexGmx.sol#redeemPxGlp call by keep extending the 15 minutes cooldown by calling AutoPxGlp#depositGlp with a small amount of Glp #161
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-113
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/AutoPxGlp.sol#L394
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexGmx.sol#L602
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexGmx.sol#L510
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexGmx.sol#L730
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexGmx.sol#L657
Vulnerability details
Impact
there is a 15 min cooldown duration after minting GLP, user can DOS (block) the PirexGmx.sol#redeemPxGlp call by keep extending the 15 minutes cooldown by calling AutoPxGlp#depositGlp with a small amount of Glp
Proof of Concept
I want to quote a special timelock mechanism in GMX:
https://gmxio.gitbook.io/gmx/contracts#transferring-staked-glp
How does this cooldown period implemented and how is affected the PirexGmx.sol contract and the Auto
PxGlp.sol contract?
Why do I say that a user can DOS the redeem function can extending the cool down period?
Let us take a top-down approach and look into the contract code:
User can call AutoPxGlp.sol#depositGlp to Deposit GLP (minted with ERC20 tokens) for apxGLP
which calls:
which calls PirexGmx.sol#depositGlp
which calls:
which calls:
this call is very important:
gmxRewardRouterV2.mintAndStakeGlp( token, tokenAmount, minUsdg, minGlp );
it is calling:
https://arbiscan.io/address/0xA906F338CB21815cBc4Bc87ace9e68c87eF8d8F1#code#F1#L128
which calls:
this is also important:
we are calling:
https://arbiscan.io/address/0x321F653eED006AD1C29D174e17d96351BDe22649#code#L841
which calls:
crucial notes about this section:
how does the code use this lastAddedAt[_account] to implement the 15 minutes cooldown period?
it is used here:
https://arbiscan.io/address/0x321F653eED006AD1C29D174e17d96351BDe22649#code#L936
this means, within the 15 minutes cooldown period, if removeLiqudity is called, the transaction revert.
did we use this function? Yes.
The call stack is:
PirexGmx.sol#redeemPxGlp -> gmxRewardRouterV2.unstakeAndRedeemGlp ->
https://arbiscan.io/address/0xA906F338CB21815cBc4Bc87ace9e68c87eF8d8F1#code#F1#L164
which calls:
https://arbiscan.io/address/0x321F653eED006AD1C29D174e17d96351BDe22649#code#L853
which revert in 15 cooldown period:
https://arbiscan.io/address/0x321F653eED006AD1C29D174e17d96351BDe22649#code#L936
the user can keep using 1 amount of GLP token to call AutoPxGlp#depositGlp to keep extending the 15 minutes to another 15 minutes cooldown period, then PirexGmx.sol#redeemPxGlp revert.
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend the project add rate limit to not let user call depositGlp too frequently to not let transaction revert in cooldown period.
The text was updated successfully, but these errors were encountered: