Platform: Code4rena
Start Date: 21/11/2022
Pot Size: $90,500 USDC
Total HM: 18
Participants: 101
Period: 7 days
Judge: Picodes
Total Solo HM: 4
Id: 183
League: ETH
Rank: 14/101
Findings: 1
Award: $1,238.16
🌟 Selected for report: 0
🚀 Solo Findings: 0
1238.1649 USDC - $1,238.16
https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/PirexGmx.sol#L505-L516
If an ERC20 token that take fees on transfers is GMX-witelisted and used to mint and stake GLP, there will be a mismatch between the token amount received by the PirexGmx.sol contract and the value of GLP minted and staked by PirexGmx.sol. This will slowly drain the contract of funds.
If the depositGlp() function is called by a user to deposit GLP using a GMX-whitelisted token, the PirexGmx.sol contract request funds transfer from the token contract via the SafeTransferFrom() function on line 506 (https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/PirexGmx.sol#L506). If the token contract takes fees on transfer, the actual balance of tokens transfered to the PirexGmx.sol contract is less than tokenAmount.
The contract then mints and stakes tokens based on the tokenAmount variable on lines 510-115, which is smaller than the amount of tokens received by the contract. https://github.com/code-423n4/2022-11-redactedcartel/blob/main/src/PirexGmx.sol#L510-L515.
Manual code inspection
There is no easy mitigation for this problem, as there are no easy ways to check the received token balance after a transaction. A possible solution is to check the contracts token balance before and after the transaction to determine the actual amount of tokens received, but this may lead to unforeseen race condition vulnerabilities. Another possible solution is to keep a separate token whitelist separate from the GMX contract, and only allow non fee-on-transfer tokens on the whitelist.
#0 - c4-judge
2022-12-04T12:09:46Z
Picodes marked the issue as duplicate of #196
#1 - c4-judge
2023-01-01T11:16:32Z
Picodes marked the issue as satisfactory