Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Single Oracle Dependency May Lead to Price Manipulation in contract GmxProxy

sonamakash54

Affected Line of Code

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/main/contracts/GmxProxy.sol#L123-L147

address oracle = IOrderHandler(orderHandler).oracle();
prices.indexTokenPrice = IOracle(oracle).getPrimaryPrice(marketInfo.indexToken);
prices.longTokenPrice = IOracle(oracle).getPrimaryPrice(marketInfo.longToken);
prices.shortTokenPrice = IOracle(oracle).getPrimaryPrice(marketInfo.shortToken);

Summary

The contract relies on a single oracle for price data, introducing a centralization risk. If the oracle provides manipulated or incorrect data, users may experience unfair liquidations, arbitrage exploits, or inaccurate pricing calculations.

Finding Description

This contract fetches price data from a single oracle without implementing redundancy, validation, or price sanity checks. The lack of oracle diversity creates a single point of failure, violating decentralization principles. If the oracle is compromised, malfunctioning, or manipulated by a privileged entity, the entire pricing mechanism of the protocol becomes unreliable.

This breaks core security guarantees:

  • Trust Assumptions: A decentralized system should not rely on a single data provider.

  • Fair Liquidations: Manipulated prices can lead to forced liquidations of users' positions.

  • Manipulation Resistance: The lack of price aggregation makes it easy for an attacker to exploit price discrepancies.

Attack Scenario

  1. An attacker gains control over the oracle (via governance control, admin privileges, or external market manipulation).

  2. The attacker reports incorrect prices, artificially inflating or deflating asset values.

  3. This results in incorrect trade executions, forced liquidations, or risk-free arbitrage opportunities.

  4. Users lose funds due to manipulated price feeds, while the attacker profits from the exploit.

Impact Explanation

  • Severity: High

    • If the oracle is manipulated, an attacker can liquidate positions, withdraw excess funds, or influence asset pricing, leading to significant financial loss.

    • The system has no fallback mechanism if the oracle fails, making this a major security flaw in a DeFi protocol.

Likelihood Explanation

  • Likelihood: Medium

    • If the oracle is a trusted provider like Chainlink, the likelihood is lower but still present due to potential oracle failures, delays, or off-chain manipulation.

    • If the oracle is controlled by the project team or a centralized entity, the likelihood increases significantly.

    • An attacker could target oracle vulnerabilities (e.g., flash loans, governance attacks, or data manipulation) to exploit the contract.

Proof of Concept

To simulate this attack, a malicious oracle can be created to return manipulated prices:

contract MaliciousOracle is IOracle {
function getPrimaryPrice(address asset) external pure override returns (uint256) {
// Return an arbitrary manipulated price
return 1; // Setting an extremely low price
}
}

Exploit Execution:

  1. The contract retrieves the manipulated price from MaliciousOracle.

  2. This incorrect price triggers forced liquidations or incorrect trade settlements.

  3. The attacker profits by liquidating positions at artificial prices.

Recommendation

To mitigate this issue, the following solutions should be implemented:

  1. Use Multiple Oracles: Fetch prices from multiple sources (e.g., Chainlink, Pyth, Tellor) and aggregate them.

  2. Implement Price Sanity Checks: Ensure price deviations stay within a reasonable threshold before accepting new values.

  3. Introduce a Fallback Mechanism: If the primary oracle fails, use a backup source for price data.

Fixed Code Example

function getSafePrice(address asset) public view returns (uint256) {
uint256 primaryPrice = IOracle(primaryOracle).getPrimaryPrice(asset);
uint256 secondaryPrice = IOracle(backupOracle).getPrimaryPrice(asset);
// Use median price to prevent manipulation
return (primaryPrice + secondaryPrice) / 2;
}

Final Severity Assessment

  • Impact: High (Funds at risk, potential protocol-wide exploitation)

  • Likelihood: Medium (Depends on oracle security, but attack scenarios exist)

  • Overall Severity: High

Updates

Lead Judging Commences

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.