low

getsAmountsIn in GMXOracle hardcoded 15e14(15bps) for amountsIn would gives w...

Contest
sponsor logo

Steadefi
Reward

Total

102.44 USDC

Citris
Selected
59.76 USDC
FalconHoof
42.68 USDC
Selected Submission

getsAmountsIn in GMXOracle hardcoded 15e14(15bps) for amountsIn would gives wrong amountsIn since GMX market has dynamic impact fee

Severity

Low Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/oracles/GMXOracle.sol#L134

Summary

getsAmountsIn in GMXOracle hardcoded 15e14(15bps) for amountsIn would gives wrong amountsIn since GMX market has dynamic impact fee.

With Reference to GMXv2, they have an impact pool which holds the fund collected from depositor who deposit on the imbalanced side of the market, namely a bigger cumulative vritualBalance. The fee is also documented here

https://github.com/gmx-io/gmx-synthetics/blob/613c72003eafe21f8f80ea951efd14e366fe3a31/contracts/deposit/ExecuteDepositUtils.sol#L130-L134

        MarketUtils.distributePositionImpactPool(
            params.dataStore,
            params.eventEmitter,
            market.marketToken
        );

Therefore the getsAmountIn may not be sufficient for the deposit/rebalance, if the the rebalance is done in a while that is against the incurred impact price fee.

Vulnerability Details

Impact

getsAmountsIn hardcoded 15bps for buffer which may not be representative of the dynamic fee implemented in GMXv2.

Tools Used

Recommendations

ImpactPrice calculation can be imported from the PricingUtil.sol in GMXv2 repo.

There is a script to calculate/verify the impact against tradeSize off-chain here