Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Manipulation of ETH Balance in `GmxProxy` Contract

n3smaro

Summary

The lowerThanMinEth function in the GmxProxy contract determines whether the contract's ETH balance is below minEth. However, it directly relies on address(this).balance, which can be manipulated by external users sending ETH to the contract. This can lead to incorrect calculations and unintended behavior in dependent logic.

Vulnerability Details

  1. ETH Balance Can Be Manipulated:

    • The contract uses address(this).balance to determine if the ETH balance is below minEth.

    • Any user can send ETH directly to the contract since it has a receive() function, artificially increasing its balance.

    • This results in an incorrect calculation where lowerThanMinEth might return false even when the contract’s intended ETH balance is actually below minEth.

  2. Risk of Misleading Calculations:

    • If lowerThanMinEth is used to trigger essential contract operations (e.g., auto-replenishment, emergency actions), a manipulated balance could lead to incorrect decisions.

    • The function does not differentiate between ETH received via expected deposits and ETH sent directly by external users.

  3. No Internal ETH Balance Tracking:

    • The contract lacks an internal variable to track ETH deposits and withdrawals properly.

    • Using address(this).balance instead of an internally managed state variable means that external interference affects contract logic.

Impact

  • Incorrect ETH Threshold Checks: The contract may falsely determine it has sufficient ETH, leading to delayed or incorrect actions.

  • Potential Denial of Service (DoS) or Exploits:

    • If lowerThanMinEth is part of critical conditions, attackers could manipulate it by sending small amounts of ETH to prevent necessary operations.

    • Conversely, an attacker could drain ETH and trigger emergency mechanisms when it is unnecessary.

  • Unreliable Balance Tracking: Without proper internal accounting, ETH amounts expected by the contract may not align with actual available funds.

Tools Used

Manual code review.

Recommendations

  1. Implement Internal ETH Balance Tracking:

    • Maintain a state variable (internalEthBalance) that tracks ETH deposits and withdrawals.

    • Update this variable within controlled deposit and withdrawal functions.

  2. Modify lowerThanMinEth to Use Internal Balance:

    • Instead of relying on address(this).balance, compare internalEthBalance with minEth:

      function lowerThanMinEth() external view returns (bool) {
      return internalEthBalance < minEth;
      }

  3. Restrict Direct ETH Transfers if Necessary:

    • If external ETH transfers should not influence contract logic, remove the receive() function or implement a fallback function that rejects unexpected ETH deposits.

Updates

Lead Judging Commences

n0kto Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.