hack3r-0m - chain libraray has references to deprecated arbitrum rinkeby which causes uninteded behaviour for block values
Closed this issue · 5 comments
hack3r-0m
medium
chain libraray has references to deprecated arbitrum rinkeby which causes uninteded behaviour for block values
Summary
chain libraray has references to deprecated arbitrum rinkeby which causes uninteded behaviour for block values
Vulnerability Detail
uint256 constant public ARBITRUM_RINKEBY_CHAIN_ID = 421611;
arbitrum rinkeby is deprecated in favour of arbitrum goerli
Impact
if protocol is deployed in arbitrum goerli, it will not use ArbSys
and use default block values which would not revert but silently causes issues in execution, blockhash
on arbitrum goerli will return pseudo-random value and will not be able to verify oracle updates.
Code Snippet
https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/chain/Chain.sol#L12
Tool used
Manual Review
Recommendation
use arbitrum goerli chain-id
Escalate for 10 USDC
I believe this issue was considered low/informational, I am escalating it to push to medium severity because of mentioned reason in "Impact" section in report. To summarize, this can give false sense of how protocol system is working on testnet and team might draw wrong conclusions from it, for e.g doing testing on arb-goerli and then deriving arb-mainnet parameters basis that which is dangeours due to mentioned issue.
Escalate for 10 USDC
I believe this issue was considered low/informational, I am escalating it to push to medium severity because of mentioned reason in "Impact" section in report. To summarize, this can give false sense of how protocol system is working on testnet and team might draw wrong conclusions from it, for e.g doing testing on arb-goerli and then deriving arb-mainnet parameters basis that which is dangeours due to mentioned issue.
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Test issues do not cause loss of funds; some other issue must be present for funds to be lost, and the submitter provided no such issue - Informational
Escalation rejected
This is not a valid/high medium
Considering this issue Informational
Escalation rejected
This is not a valid/high medium
Considering this issue Informational
This issue's escalations have been rejected!
Watsons who escalated this issue will have their escalation amount deducted from their next payout.