Liquidity Management

Summary

Slippage protection is not applied for decreasePosition. While creating the increasePosition minOutputAmount denotes the minimum token amount after the initialCollateralDeltaAmount is swapped through the swapPath but in the protocol we do not swap tokens while increasing the position hence setting minOutputAmount = 0 makes sense but while decreasePosition minOutputAmount denotes minimum USD value, USD is used in this case because it is possible for decrease orders to have two output tokens. Hence for creating the decreased position it should set the value accordingly otherwise it may lose the value because of the nature of the GMX protocol(asynchronous).

GMX Docs

Vulnerability Details

For decreasePosition, minOutputAmount represents the minimum acceptable USD value for the order, as decrease orders can output two different tokens. The current implementation does not enforce slippage protection for decreasePosition orders.

Example:
An attacker detects a decreasePosition order with a weak slippage protection parameter. They quickly execute a transaction on GMX to move the price—such as by selling a significant volume of the output token—which causes the price to drop. When the original decreasePosition order is executed, it receives a lower USD value than expected. The attacker then reverses the price manipulation (for example, by buying back tokens at the lower price) and profits from the difference. This backrunning strategy makes a profit to the malicious user at the expense of the protocol.

Impact

The protocol can make losses due to the unfavorable execution price of decreasePosition orders.

Tools Used

Manual Review

Recommendations

Add slippage protection while creating the decrease position.