PirexGmx
contract migration can be blocked
#198
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-61
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexGmx.sol#L930
Vulnerability details
Impact
For migration to work correctly the contract
PirexGmx
is using functions fromIRewardRouterV2
contract.It has to follow a sequence of first calling
setPauseState(true)
theninitiateMigration
and the final step is for the new contract to callcompleteMigration
.This process can be broken by sending at least one token of (Vested GMX) vGMX or (Vested GLP) vGLP to the
PirexGMX
contract because:When calling
initiateMigration
the old contract is signaling its intent viagmxRewardRouterV2.signalTransfer(newContract);
and by doing this the called contract is checking if we have any mentioned token in the contract balance. If we do then the call is reverted and the migration is stopped.https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexGmx.sol#L930
The migration is stopped because in the next sequence call the router (
gmxRewardRouterV2
) is reverting because we have failed to set thependingReceivers
(field is insidegmxRewardRouterV2
code) to our new contract address using ourinitiateMigration
call.The
PirexGMX
contract does not have any capacity to move this offending tokens out before initiating the migration process.Proof of Concept
On both Arbitrum and Avalanche the suggested contract addresses for RewardRouterV2::signalTransfer this check is made like this:
Tools Used
Manual review
Recommended Mitigation Steps
And function to the
PirexGMX
contract owner to clear/move out the offending tokens before initiating the migration sequnence.The text was updated successfully, but these errors were encountered: