Liquidity Management

Details:
In the afterOrderExecution function, the MarketSwap branch does not enforce any verification to ensure that the swap’s output meets an expected minimum threshold. Unlike other branches (e.g., MarketIncrease) where parameters such as priceImpact are computed and taken into account, the MarketSwap branch simply accepts the returned outputAmount from the GMX proxy without validating it against an expected or acceptable minimum. This omission allows a swap executed under adverse market conditions or manipulated by an attacker to yield an output significantly lower than anticipated.

Root Cause:
The root cause is the lack of a safeguard in the MarketSwap branch of the afterOrderExecution function. The contract directly uses the value provided by the GMX proxy:

without checking if this output meets a predetermined minimum or acceptable price range. There is no comparison against an expected minimum output (e.g., a minOutputAmount parameter or a value computed from current market data), leaving the contract open to accepting swap results with excessive slippage.

Impact:

• Under-minted Deposits: In deposit flows, users receive shares based on the output amount from the swap. If the swap returns an unexpectedly low amount due to excessive slippage, users will receive fewer shares than they should—resulting in an effective loss of deposited value.

• Insufficient Withdrawals: During withdrawals, a similar issue can occur where users receive less collateral than expected, negatively impacting their ability to redeem their holdings fully.

• Protocol Health: Systematic acceptance of poor swap outcomes can degrade the overall asset value held by the vault, potentially affecting fee calculations, collateralization, and the long-term sustainability of the protocol.

Recommendation:

1. Implement Minimum Output Checks:

   • Introduce a validation step in the MarketSwap branch that compares orderResultData.outputAmount against a computed or passed-in minOutputAmount. For example:

     require(orderResultData.outputAmount >= expectedMinOutput, "Excessive price impact");

   • The expectedMinOutput can be derived from current market prices, acceptable slippage parameters, or a user-specified threshold.

2. Delegate and Re-Validate:

   • Ensure that the GMX proxy contract itself enforces a minimum output requirement and that this value is re-validated upon receiving the order result.

3. Enhanced Logging and Monitoring:

   • Add events or logging mechanisms to flag when the swap output deviates significantly from the expected value. This will aid in early detection of abnormal swap executions.

Proof of Concept (PoC) Scenario:

1. Setup:

   • A user deposits collateral which triggers a deposit flow involving a MarketSwap order via the _doGmxSwap function.

   • The order data contains an expected swap output value, yet no in-contract check is enforced on the returned output.

2. Attack/Manipulation:

   • Under adverse market conditions or through manipulation of the GMX proxy, the swap executes with extreme slippage—returning only 50% of the expected output.

3. Outcome:

   • In the afterOrderExecution function, the contract accepts the low outputAmount without verification:

     uint256 outputAmount = orderResultData.outputAmount; // Returned value is only 50% of expected.

   • In a deposit flow, the protocol mints shares based on the insufficient output, leading the user to receive significantly fewer shares than they should.

   • Upon withdrawal, the user finds that their collateral is substantially less than expected, demonstrating the loss incurred due to the unchecked swap output.

Conclusion:
The absence of a minimum output check in the MarketSwap branch allows for the acceptance of swap results with excessive slippage, leading to potential value loss for users and degradation of protocol health. Implementing the recommended checks and safeguards is crucial to mitigate this vulnerability.