The vulnerability is related to the GMXVaul.sol
contract's receive()
function. It lacks proper safeguards, potentially enabling frontrunning attacks and allowing an attacker to manipulate the refund mechanism to gain undeserved native tokens.
The vulnerability arises from the contract's receive()
function, which refunds native tokens to a specific address under certain conditions. This function doesn't include proper safeguards to prevent potential frontrunning attacks, allowing an attacker to manipulate the refund mechanism to gain undeserved native tokens.
An attacker can frontrun and before receive()
function call e.g. GMXDeposit.sol
contract's deposit()
function and become a refundee
: self.refundee = payable(msg.sender)
and gain all native tokens from fallback function.
An attacker could, in a frontrunning manner, deposit a small amount and become eligible for a refund. This could lead to an unintended transfer of native tokens to the attacker, effectively draining the contract's native token balance.
Manual review.
To mitigate this vulnerability, it is advised to implement additional checks and safeguards in the receive function. These checks should ensure that only valid refund requests are processed and that they are protected against manipulation or unauthorized access. Additionally, consider alternative design patterns to handle refunds securely.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.