Submission Details
Severity:
Wrong event emission
Summary
In the Runaction function the contract returns the usd amount of a position during emission instead of the token amount of the size.
Vulnerability Details
Wrong event emission
event GmxPositionUpdated(
bytes32 positionKey,
address market,
bool isOpen,
bool isLong,
@audit>> uint256 sizeInTokens,
uint256 indexTokenPrice
);
But we incorrect return the usd value of this size
if (flow == FLOW.SIGNAL_CHANGE) {
emit GmxPositionUpdated(
positionKey,
market,
orderResultData.orderType == Order.OrderType.MarketIncrease,
orderResultData.isLong,
@audit>> orderResultData.sizeDeltaUsd, // BUG LOW
prices.indexTokenPrice.min
);
Usd valuation is different from the token value
see
function afterLiquidationExecution() external {
if (msg.sender != address(gmxProxy)) {
revert Error.InvalidCall();
}
depositPaused = true;
@audit>> uint256 sizeInTokens = vaultReader.getPositionSizeInTokens(curPositionKey);
if (sizeInTokens == 0) {
delete curPositionKey;
}
if (flow == FLOW.DEPOSIT) {
uint256 amount = depositInfo[counter].amount;
uint256 feeAmount = vaultReader.getPositionFeeUsd(market, orderResultData.sizeDeltaUsd, false) / prices.shortTokenPrice.min; // fee is removed twice why
@audit>> uint256 prevSizeInTokens = flowData;
@audit>> int256 priceImpact = vaultReader.getPriceImpactInCollateral(curPositionKey, orderResultData.sizeDeltaUsd, prevSizeInTokens, prices);
uint256 increased;
struct OrderResultData {
Order.OrderType orderType;
bool isLong;
uint256 sizeDeltaUsd;
address outputToken;
uint256 outputAmount;
bool isSettle;
}
Impact
Wrong event emission token uint expected, usd returned.
Tools Used
Manual Review
Recommendations
Return and emit the size of the token not usd size.
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
1,91026
USDC / LOC
47,500
2,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.