Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unsafe Token Approval Pattern in GmxProxy Leading to Failed Transactions

juggernaut63

Summary

The GmxProxy contract implements an unsafe token approval pattern that fails to handle tokens requiring approval reset (like USDC) properly. This can lead to failed transactions and system unavailability, particularly on Arbitrum and Avalanche networks.

Vulnerability Details

On arbitrum and avalanche networks it requires an implementation that resets approval on USDC.

IERC20(orderData.initialCollateralToken).safeApprove(
address(gmxRouter),
orderData.amountIn
);

But the createOrder function performs direct approval without considering the specific token requirements and does not reset approval to 0 before setting a new value which can cause failed transactions for USDC and even system unavailability.

Impact

  • Failed transactions

  • System unavailability for USDC

Scenario

  1. User initiates a transaction with USDC

  2. GmxProxy attempts to approve gmxRouter for amount X

  3. Previous approval exists with amount Y

  4. USDC contract reverts the transaction due to non-zero existing allowance

  5. Order creation fails

  6. System becomes temporarily unusable for USDC operations

Tools Used

  • Manual review

Recommendations

Always reset approval to 0 before setting a new value for USDC.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_safeApprove_no_reset

USDT or other unusual ERC20 tokens: out of scope. For the other reports: No proof that the allowance won't be consumed by the receiver.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.