Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

BaseGasLimit is over estimated and user overcharged as oracle count is not fixed at GMX

0xffchain

Summary

User is over charged for transaction when the user deposits into gamma due to over estimation of gas required at gmx

Vulnerability Details

When interacting with GMX contract, to make an execution , the vault has to estimate what the gas cost are each time, using fixed estimation values from GMX contract fetched in Perpetual#getExecutionGasLimit. The ExecutionGasLimit cost is divided into three variables: baseGasLimit, callbackGasLimit & estimatedGasLimit.

executionGasLimit =baseGasLimit +((estimatedGasLimit + _callbackGasLimit) * multiplierFactor) /PRECISION;

BaseGasLimit is calculated as so:

uint256 baseGasLimit = dataStore.getUint(

ESTIMATED_GAS_FEE_BASE_AMOUNT_V2_1

);

uint256 oraclePriceCount = 5;

baseGasLimit +=

dataStore.getUint(ESTIMATED_GAS_FEE_PER_ORACLE_PRICE) *

oraclePriceCount;

oraclePriceCount is used to multiply the oracle price, and the oracle count has a fixed value of 5, this should not be the case,

as in GMX the oracle count is not fixed but a cumulative of a fixed and variable value.

https://github.com/gmx-io/gmx-synthetics/blob/b8fb11349eb59ae48a1834c239669d4ad63a38b5/contracts/gas/GasUtils.sol#L228C4-L237C1

function estimateWithdrawalOraclePriceCount(uint256 swapsCount) internal pure returns (uint256) {

return 3 + swapsCount;

}

function estimateOrderOraclePriceCount(uint256 swapsCount) internal pure returns (uint256) {

return 3 + swapsCount;

}

When estimating oracle price count, it is seen that the only fixed value on GMX is 3 and then the variable value “swapCount” is dependent on what is supplied from Gamma contracts on interaction with GMX. SwapPath, as defined in perpetualvault, is always zero except when the keeper wants to run an actual swap, but it is zero for increaseORder and decreaseOrder order types. Also keep in mind that the keeper determines the swappath in metadata param passed to the run function, so the contract is ignorant of the length of path.

IncreasePosition:

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/PerpetualVault.sol#L876

DecreasePosition

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/PerpetualVault.sol#L906

Settle:

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/PerpetualVault.sol#L954

GMX Swap

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/PerpetualVault.sol#L1069

Impact

Gas fees are over estimated and thus more funds taken from the user.

Tools Used

manual

Recommendations

Implement oracle count as is applicable to GMX using both fixed and variable value.

Updates

Lead Judging Commences

n0kto Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.