Redacted Cartel contest - Englave's results

Judge has assessed an item in Issue #38 as M risk. The relevant finding follows:

L2. Pool selection for the compound is not restricted Compound function of AutoPxGmx contract is public and available for everyone. An attacker can create a custom pool with a higher fee value (currently, on tests it uses 0.3%, but it's possible to create a pool with a max of 1% fee) on Uniswap and manually execute compound function to drain gmxBaseReward from higher fees. The issue is minor while Uniswap limits pool fees to 1%, but in the future, in case it will be changed - the issue could become more critical.

Path: ./external/vaults/AutoPxGmx.sol : compound() Recommendation: Do not allow it to pass a custom fee value (use fee from state variable).

Lines of code

https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGmx.sol#L275 https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/vaults/AutoPxGlp.sol#L243

Vulnerability details

Impact

Existing contracts during interaction with Uniswap don’t specify meaningful “minAmountOut”, which leads to “Sandwtich attack”. During compound function execution, in case of a reasonable attack amount of tokens swap, an attacker can pay more Gas to execute their transaction first, and affect the token price by buying/selling in Uniswap, so the existing contract will perform the transaction with the reduced token price. This type of attack will drain a small percentage of tokens from each compound operation.

Proof of Concept

This is a pretty popular type of issue, so providing nothing as PoC here.

Tools Used

Manual testing

Recommended Mitigation Steps

Specify slippage percentage to limit losses on swap operations.