Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Privilege Escalation via tx.origin Authentication Bypass in GMXProxy

karl

Summary

A vulnerability has been identified in the GMXProxy contract where the setPerpVault function uses tx.origin for access control instead of msg.sender. This could allow an attacker to gain unauthorized admin privileges through a sophisticated phishing attack, potentially compromising the entire protocol's security.

Vulnerability Details

The vulnerability exists in the setPerpVault function of the GMXProxy contract:

function setPerpVault(address _perpVault, address market) external { require(tx.origin == owner(), "not owner"); // Vulnerable line require(_perpVault != address(0), "zero address"); require(perpVault == address(0), "already set"); perpVault = _perpVault; gExchangeRouter.setSavedCallbackContract(market, address(this)); }

The function uses tx.origin for owner authentication instead of the more secure msg.sender. This creates a potential attack vector where a malicious contract could bypass the ownership check through transaction origin spoofing.

An attacker could exploit this vulnerability through the following attack flow:

Deploy a malicious contract with an attractive airdrop function ,note that beforehand we need to be a usual user by deposit funds (small but okay so that we can call withdraw from perpVault)

contract MaliciousAirdrop {
address public gmxProxy;

constructor(address _gmxProxy) {
gmxProxy = _gmxProxy;
}

function claimAirdrop() external payable {
// Trigger refundExecutionFee flow
IPerpetualVault(perpVault).withdraw();
}

receive() external payable {
// Called when receiving refund
}
}
Create a phishing campaign targeting the owner
When the owner interacts with the malicious contract:
- The transaction origin will be the owner's address
- The malicious contract can call setPerpVault through its receive function
- The tx.origin check will pass, allowing the attack to succeed

Impact

The vulnerability could allow an attacker to:

Take control of the GMXProxy contract by changing the perpVault address
Manipulate protocol operations through unauthorized admin access
Potentially drain funds or disrupt protocol functionality

The impact is considered medium instead of high because:

It compromises a critical access control mechanism
Could lead to complete protocol compromise
Requires only a successful phishing attempt on the owner

Tools Used

Manual code review

Recommendations

Replace tx.origin with msg.sender

function setPerpVault(address _perpVault, address market) external {

require(msg.sender == owner(), "not owner"); // Fixed line

require(_perpVault != address(0), "zero address");

require(perpVault == address(0), "already set");

perpVault = _perpVault;

gExchangeRouter.setSavedCallbackContract(market, address(this));

}

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

invalid_tx-origin

Lightchaser: Medium-5

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.