Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect Gas Estimation if for Multi-Hop Swaps will cause revert

efccweb3

Summary

The createOrder function does not pass the swapPath parameter (from orderData) to getExecutionGasLimit, leading to incorrect gas estimations for orders involving multi-hop swaps. This results in transactions reverting due to insufficient gas, risking failed order executions.

Vulnerability Details

The getExecutionGasLimit function relies on swapPath.length to calculate the number of swaps (numSwaps = swapPath.length - 1). However, createOrder does not provide swapPath to getExecutionGasLimit, causing the latter to default to 1 swap (or zero if uninitialized).

POC

Scenario: Multi-Hop Swap with 2 Swaps
Order Data:

swapPath = [ETH, BTC, USDC](2 swaps).

SINGLE_SWAP_GAS_LIMIT = 50,000 gas.

tx.gasprice = 20 gwei.

Current Behavior:

getExecutionGasLimit assumes numSwaps = 0 (no swapPath passed).

Gas allocated: 0 * 50,000 = 0 gas for swaps.

positionExecutionFee = (baseGas + 0) * 20 gwei = undervalued fee.

Execution:

The contract checks address(this).balance >= undervalued fee (passes).

During execution, the transaction requires 2 * 50,000 = 100,000gas but only0` gas is allocated → Revert.

Impact

Orders requiring multi-hop swaps will revert due to gas exhaustion.

Tools Used

Manual review

Recommendations

Pass swapPath to getExecutionGasLimit in createOrder:

function createOrder(...) public returns (bytes32) {

// ...

uint256 positionExecutionFee = getExecutionGasLimit(

orderType,

orderData.callbackGasLimit,

orderData.swapPath // Pass swapPath here

) * tx.gasprice;

}

Update getExecutionGasLimit to Use swapPath:

function getExecutionGasLimit(

Order.OrderType orderType,

uint256 _callbackGasLimit,

address[] calldata swapPath // Add parameter

) public view returns (uint256) {

// ...

uint256 numSwaps = swapPath.length > 0 ? swapPath.length - 1 : 0;

gasPerSwap = dataStore.getUint(SINGLE_SWAP_GAS_LIMIT) * numSwaps;

// ...

}

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_swapPath_does_not_increase_the_executionFee

Likelihood: Low/Medium, when swapPath has more than 1 item. Impact: Medium/High, could lead to not enough fee collected to execute the transaction in GMX

Appeal created

sakshamseth5 Auditor

7 months ago

0xl33 Auditor

7 months ago

n0kto Lead Judge

7 months ago

n0kto Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_swapPath_does_not_increase_the_executionFee

Likelihood: Low/Medium, when swapPath has more than 1 item. Impact: Medium/High, could lead to not enough fee collected to execute the transaction in GMX

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.