This repository has been archived by the owner on Dec 10, 2023. It is now read-only.
chaduke - MarketUtils.getPoolValueInfo() does not use !maximize when evaluating impactPoolUsd, leading to wrong logic of maximizing or minimizing the pool value. #160
Labels
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
xvi10
added
Sponsor Confirmed
|
fixed in gmx-io/gmx-synthetics@13913a2 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
chaduke
high
MarketUtils.getPoolValueInfo() does not use !maximize when evaluating impactPoolUsd, leading to wrong logic of maximizing or minimizing the pool value.
Summary
MarketUtils.getPoolValueInfo()does not use!maximizewhen evaluatingimpactPoolUsd, leading to wrong logic of maximizing or minimizing the pool value.This function is reachable by a withdrawal order to determine the amount of long/short tokens to withdraw, as a result, such amounts might be overesitmated due to the wrong logic in
MarketUtils.getPoolValueInfo(), leading to possible draining of the pool in the long run!Vulnerability Detail
MarketUtils.getPoolValueInfo()is used to get the USD value of a pool. It is called in a withdrawal order execution to determine the amount of long/short tokens to withdraw via flowWithdrawalUtils.executeWithdrawal() -> _executeWithdrawal() -> WithdrawUtils.executeWithdrawal() -> _executeWithdrawal() -> _getOutputAmounts() -> MarketUtils.getPoolValueInfo(). Let's look atMarketUtils.getPoolValueInfo()assuming maximize = false. (which is the case in a withdrawl order). That is, we are trying to minimize the pool value. This is understandable since we need to minimize the output amounts of withdrawn tokens in favor of the system. The analysis for the case of maximize = true is similar.https://github.com/sherlock-audit/2023-04-gmx/blob/main/gmx-synthetics/contracts/market/MarketUtils.sol#L289-L375
There are a few items we need to calculate:
!maximizesince both of them will be subtracted from the total value.In summary, just like calculating Pnl, we need to use
indexTokenPrice.pickPrice(!maximize)instead ofindexTokenPrice.pickPrice(maximize)to calculateimpactPoolUsd. Only in this way, the logic of the input parametermaximizecan be implemented properly.Impact
Code Snippet
getPoolValueInfo() does not use !maximize when evaluating impactPoolUsd, leading to wrong logic of maximizing or minimizing the pool value. As a result, when
isMaximizeis true, the returned value is actually not maximized! In the case of withdrawl, a slight overestimation of the output tokens might occur and lead to possible draining of the pool in the long run!Tool used
VSCode
Manual Review
Recommendation
In function
MarketUtils.getPoolValueInfo()we need to use
indexTokenPrice.pickPrice(!maximize)instead ofindexTokenPrice.pickPrice(maximize)to calculateimpactPoolUsd.The text was updated successfully, but these errors were encountered: