Lines of code

Vulnerability details

Impact

Anyone can call AutoPxGmx::compound. Hence a staker in the 10000 (1% fee) uniswap pool can call compound with that pool and take a larger fee from AutoPxGmx users maximizing their gains and griefing users.

Proof of Concept

fee chooses which uniswap pool to use for trading reward weth for gmx, which is then used for more staking:

vaults/AutoPxGmx.sol:

242:    function compound(
243:        uint24 fee,
244:        uint256 amountOutMinimum,
245:        uint160 sqrtPriceLimitX96,
246:        bool optOutIncentive
247:    )

Since fee is a parameter that the caller chooses a staker in the 1% fee gmx-weth uniswap pool can front run or just periodically call AutoPxGmx::compound to maximize their gains and also grief AutoPxGmx users.

Tools Used

vs code

Recommended Mitigation Steps

Use the fee poolFee which is used when compound is automatically called from other functions in the contract.

The text was updated successfully, but these errors were encountered:

All reactions