medium

A depositor of the GMXVault can bypass paying the fee when the depositor depo...

Contest
sponsor logo

Steadefi
Reward

Total

435.67 USDC

hash
181.53 USDC
0xmuxyz
Selected
254.14 USDC
Selected Submission

A depositor of the GMXVault can bypass paying the fee when the depositor deposit into the GMXVault.

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXDeposit.sol#L119

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXVault.sol#L335

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXDeposit.sol#L172

Summary

The fee-minted in the form of shares (svTokens) would not be subtracted from the amount of shares (svTokens) to be minted to the GMXVault's depositor.

Due to that, a depositor of the GMXVault could receive the amount of the shares (svTokens), which the amount of the fee-minted in the form of the shares (svTokens) via the GMXDeposit#mintFee() was not subtracted.

This means that a depositor of the GMXVault can bypass paying the fee when the depositor deposit into the GMXVault.

Vulnerability Details

Within the GMXDeposit#deposit(), the GMXVault#mintFee() would be called to mint the fee in the form of the svTokens like this: https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXDeposit.sol#L119

  /**
    * @notice @inheritdoc GMXVault
    * @param self GMXTypes.Store
    * @param isNative Boolean as to whether user is depositing native asset (e.g. ETH, AVAX, etc.)
  */
  function deposit(
    GMXTypes.Store storage self,
    GMXTypes.DepositParams memory dp,
    bool isNative
  ) external {
    ...
    self.status = GMXTypes.Status.Deposit;

    self.vault.mintFee();    ///<----------------------- @audit
    ...

Within the GMXVault#mintFee(), the amount (GMXReader.pendingFee(_store)) of the shares would be minted to the treasury (_store.treasury) in the form of the svTokens like this: https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXVault.sol#L335

  /**
    * @notice Mint vault token shares as management fees to protocol treasury
  */
  function mintFee() public {
    _mint(_store.treasury, GMXReader.pendingFee(_store)); ///<------------ @audit
    _store.lastFeeCollected = block.timestamp;
  }

When callback of deposit, the the GMXDeposit#processDeposit() would be called via the GMXVault#deposit().

Within the GMXDeposit#processDeposit(), the amount (self.depositCache.sharesToUser) of shares (VaultTokens) would be minted to the GMXVault's depositor (self.depositCache.user) like this: https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXDeposit.sol#L172

  /**
    * @notice @inheritdoc GMXVault
    * @param self GMXTypes.Store
  */
  function processDeposit(
    GMXTypes.Store storage self
  ) external {
    GMXChecks.beforeProcessDepositChecks(self);

    // We transfer the core logic of this function to GMXProcessDeposit.processDeposit()
    // to allow try/catch here to catch for any issues or any checks in afterDepositChecks() failing.
    // If there are any issues, a DepositFailed event will be emitted and processDepositFailure()
    // should be triggered to refund assets accordingly and reset the vault status to Open again.
    try GMXProcessDeposit.processDeposit(self) {
      // Mint shares to depositor
      self.vault.mint(self.depositCache.user, self.depositCache.sharesToUser); ///<------------- @audit
      ...

Within the GMXDeposit#processDeposit() above, the amount of the fee-minted in the form of the shares (svTokens) via the GMXDeposit#mintFee() is supposed to be subtracted from the amount of the shares to be minted to the GMXVault's depositor via the GMXDeposit#processDeposit().

However, there is no logic to subtract the amount of the fee-minted in the form of the shares (svTokens) via the GMXDeposit#mintFee() from the amount of the shares to be minted to the GMXVault's depositor in the form of the shares (svTokens) via the GMXDeposit#processDeposit().

Impact

The depositor could receive the amount of the shares (svTokens), which the amount of the fee-minted in the form of the shares (svTokens) via the GMXDeposit#mintFee() was not subtracted.

This means that a depositor of the GMXVault can bypass paying the fee when the depositor deposit into the GMXVault.

Tools Used

  • Foundry

Recommendations

Within the GMXDeposit#processDeposit(), consider adding a logic to subtract the amount of the fee-minted in the form of the shares (svTokens) via the GMXDeposit#mintFee() from the amount of the shares to be minted to the GMXVault's depositor in the form of the shares (svTokens) via the GMXDeposit#processDeposit().