13 matches found
Upgraded Q -> M from #251 [1670231833702]
Judge has assessed an item in Issue 251 as M risk. The relevant finding follows: AutoPxGlp.setPlatform and AutoPxGmx.setPlatform break the vaults functionalities. Looking at AutoPxGlp.setPlatform: this admin setter allows the owner to change the pirexGmx address in AutoPxGlp. The issue is that it...
Upgraded Q -> M from #316 [1670230229509]
Judge has assessed an item in Issue 316 as M risk. The relevant finding follows: compound in AutoPxGmx can be called by anyone and can be sandwiched if a poorly chosen amountOutMinimum is used. The idea is to call the function often by adding an incentive to the caller. There is a problematic...
Upgraded Q -> M from #38 [1670234424045]
Judge has assessed an item in Issue 38 as M risk. The relevant finding follows: L2. Pool selection for the compound is not restricted Compound function of AutoPxGmx contract is public and available for everyone. An attacker can create a custom pool with a higher fee value currently, on tests it...
AutoPxGlp and AutoPxGmx are not compliant with ERC4626 standard
Lines of code Vulnerability details Proof of Concept In both contracts, the previewWithdraw function has the same body // Calculate shares based on the specified assets' proportion of the pool uint256 shares = convertToSharesassets; // Save 1 SLOAD uint256 totalSupply = totalSupply; // Factor in...
Compounding is vulnerable to sandwich attack
Lines of code Vulnerability details Impact Function compound is called in every deposit/withdraw in AutoPxGmx contract. It claim rewards in form of gmxBaseReward and swap them to gmx token. They used amountOutMinimum from input params gmxAmountOut = SWAPROUTER.exactInputSingle...
Uniswap V3 swaps are vulnerable to a sandwich attack
Lines of code Vulnerability details Impact As the amountOutMinimum is always hardcoded with 1 in the AutoPxGmx, then the Uniswap V3 swap is vulnerable to a frontrun / sandwich attack. Proof of Concept Even though the amountOutMinimum may never be 0 because it is prevented against it: if...
compound could be used by uniswap stakers to maximize fees for AutoPxGmx users
Lines of code Vulnerability details Impact Anyone can call AutoPxGmx::compound. Hence a staker in the 10000 1% fee uniswap pool can call compound with that pool and take a larger fee from AutoPxGmx users maximizing their gains and griefing users. Proof of Concept fee chooses which uniswap pool to...
A malicious user might call AutoPxGmx.compound() with a higher fee than poolFee.
Lines of code Vulnerability details Impact A malicious user might call AutoPxGmx.compound with a higher fee than poolFee. As a result, there would be a fund loss for the users because they paid more than expected for the swap router. Proof of Concept As we can see here, Uniswap V3 introduces...
Underlying assets stealing in AutoPxGmx and AutoPxGlp via share price manipulation
Lines of code Vulnerability details Impact pxGMX and pxGLP tokens can be stolen from depositors in AutoPxGmx and AutoPxGlp vaults by manipulating the price of a share. Proof of Concept ERC4626 vaults are subject to a share price manipulation attack that allows an attacker to steal underlying toke...
Deposits and compounds will be frozen after a PirexGmx migration
Lines of code Vulnerability details Impact After a migration of the platform PirexGmx contract, the approval of the AutoPxGlp from the new PirexGmx contract will be zero. The same issue is here for the AutoPxGmx contract. Proof of Concept Even though the approval of gmxBaseReward formerly WETH fo...
Slippage protection on AutoPxGmx::compound calls is insufficient and can result in MEV
Lines of code Vulnerability details Proof of Concept The compound method has the amountOutMinimum parameter, which basically serves as the slippage tolerance parameter. The problem is that everywhere in the code where compound is called, the value of amountOutMinimum is just 1 wei, which basicall...
First depositor who is a whale account can deny later depositors who are smaller accounts from using AutoPxGmx contract, such as for depositing GMX for apxGMX
Lines of code Vulnerability details Impact A whale account that owns a lot of GMX can call the following PirexGmx.depositGmx function to deposit much GMX for pxGMX. As the first depositor for the AutoPxGmx contract, this account can then call the AutoPxGmx.depositGmx function to deposit 1 wei GMX...
fee loss in AutoPxGmx and AutoPxGlp and reward loss in AutoPxGlp by calling PirexRewards.claim(pxGmx/pxGpl, AutoPx*) directly which transfers rewards to AutoPx* pool without compound logic get executed and fee calculation logic and pxGmx wouldn't be executed for those rewards
Lines of code Vulnerability details Impact Function compound in AutoPxGmx and AutoPxGlp contracts is for compounding pxGLP and additionally pxGMX rewards. it works by calling PirexGmx.claimpx, this to collect the rewards of the vault and then swap the received amount to calculate the reward,...