Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Reentrancy Attack in ETH Transfers in GmxProxy.sol

silverwolf

Summary

The GmxProxy contract accepts ETH via a receive() function and transfers funds using safeTransfer(). If a malicious contract is used as the recipient, it could exploit a reentrancy attack by recursively calling the function before the state is updated, potentially draining the contract.

Vulnerability Details

• The contract allows ETH deposits via:

receive() external payable {}

• It performs transfers using safeTransfer():

IERC20(eventData.addressItems.items[0].value).safeTransfer(perpVault, eventData.uintItems.items[0].value);

• A malicious fallback function could repeatedly call safeTransfer() before the contract updates its state, allowing an attacker to drain all ETH.

Impact

Complete loss of contract funds due to reentrancy exploitation.

Users may lose their deposited assets if an attacker targets their transactions.

Tools Used

• Manual Code Review

• Slither Static Analysis

Recommendations

Implement ReentrancyGuard from OpenZeppelin:

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
contract GmxProxy is ReentrancyGuard {
receive() external payable nonReentrant {}
}

• Ensure state changes happen before external calls.
• Use the Checks-Effects-Interactions pattern to prevent reentrant calls.

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.