Omniscia Steadefi Audit

GMXPerpetualDEXLongManager Manual Review Findings

GMXPerpetualDEXLongManager Manual Review Findings

GMD-01M: Inexistent Slippage Protections

TypeSeverityLocation
Logical FaultGMXPerpetualDEXLongManager.sol:L315-L316, L331-L332, L344

Description:

The referenced integrations with RewardRouterV2 of the GMX protocol do not specify correct minimum values in the referenced mint, stake, and unstake operations.

Impact:

The current mechanisms of the contract render the users as well as the system itself prone to arbitrage attacks, causing them to receive less value for their interactions with the GMX protocol.

Example:

contracts/vaults/gmx/GMXPerpetualDEXLongManager.sol
325function _addLiquidity() internal {
326

327  // Add liquidity
328  rewardRouter.mintAndStakeGlp(
329    token(),
330    IERC20(token()).balanceOf(address(this)),
331    0,
332    0
333  );
334}

Recommendation:

We advise correct values to be relayed from the top-level context of each code-path to the mintAndStakeGlp / unstakeAndRedeemGlp function call via the introduction of new variables wherever necessary (i.e. GMXPerpetualDEXLongVault::deposit -> GMXPerpetualDEXLongManager::work -> GMXPerpetualDEXLongManager::_addLiquidity).

Alleviation (4325253d6de0ea91c1e9fb9e01d2e7e98f3d83a9):

This finding was addressed as part of the efforts for alleviating GMX-06M, rendering slippage checks redundant in the nested GMXPerpetualDEXLongManager::_addLiquidity call given that they are evaluated at the higher GMXPerpetualDEXLongVault::deposit and GMXPerpetualDEXLongVault::withdraw levels.

Prev

ChainLinkOracle.sol (CLO-M)

Next

GMXPerpetualDEXLongReader.sol (GMP-M)

On this page