Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Silent Failure in External Contract Calls: Unchecked Return Values in GMXProxy Contract

kineticsofweb3

Summary

A vulnerability has been identified in the GMXProxy contract where external calls to other contracts are not properly checking return values. This oversight could lead to silent failures in token transfers and contract interactions, inconsistent contract state.

Vulnerability Details

The GMXProxy contract contains multiple instances of unchecked external calls, particularly in token transfer operations. The most critical instances are found in:

  • Token transfers using IERC20.safeTransfer

  • External contract calls using call()

  • Cross-contract interactions with GMX protocol components

Root Cause

The vulnerability stems from two primary technical issues:

  1. External calls return boolean values indicating success/failure

  2. Contract execution continues even if external calls fail silently

This creates a situation where the contract can proceed with incorrect assumptions about the success of external operations.

Impact

The vulnerability could lead to several severe consequences:

    • Users might not receive their funds

  • Contract state becomes inconsistent with reality

  • Failed transfers recorded as successful

  • Malicious contracts could exploit unchecked returns

  • Hidden errors might remain undetected

Tools Used

The following tools were utilized to identify and verify this vulnerability:

  • Static analysis using Slither

  • Manual code review

  • Contract flow analysis

Mitigation

To address this vulnerability, implement the following changes:

  1. Add Return Value Checks

(bool success, ) = IERC20(token).safeTransfer(recipient, amount);
require(success, "Transfer failed");
```
2. **Implement Proper Error Handling**
```solidity
function transferTokens(address token, address recipient, uint256 amount) public {
(bool success, ) = IERC20(token).safeTransfer(recipient, amount);
require(success, "Token transfer failed");
// Only update state after confirmed success
emit Transfer(token, msg.sender, recipient, amount);
}
Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Too generic
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Too generic
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.