Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Inadequate Validation of GMX Call Data in `GmxProxy.sol`

futhmah456

Summary

GmxProxy.sol encodes and forwards parameters for GMX interactions (e.g. in the createOrder and settle functions) without performing internal validations on critical values such as sizeDeltaUsd, collateral amounts, and swap paths. While access is restricted to the trusted perpVault, any malformed data from upstream could result in unintended behavior.

Vulnerability Details

Issue:
Input parameters taken from an OrderData struct are passed directly to external calls (via gExchangeRouter.createOrder) without sufficient validation or sanity checks.

Context:
The contract assumes that the calling perpetual vault (perpVault) will always supply correct and validated data. There is no redundancy within GmxProxy to enforce proper bounds or to verify that parameters like sizeDeltaUsd or initialCollateralDeltaAmount fall within expected ranges.
Inter‑Contract Considerations:
Even though the function caller is assumed to be trusted, any breach or misconfiguration in the upstream contract could lead to erroneous or malicious data being processed.

Impact

Order Misconfiguration:
Invalid parameters may result in orders that are overleverage, undercollateralized, or even rejected by GMX, affecting order execution.

Economic Losses:
Incorrect order parameters could be exploited to gain an unfair advantage or cause economic damage to the protocol.
System Reliability:
The overall stability of the system may be compromised if orders are processed with invalid data, leading to unintended interactions with GMX.

POC:

Overview

This PoC demonstrates that GmxProxy’s createOrder function forwards parameters (from an OrderData structure) to the GMX router without internal validations. By providing malformed data, an attacker (or a misbehaving trusted contract) could trigger unintended behavior or misconfigured orders.

Actors

Attacker: A malicious (or compromised) perpetual vault that supplies malformed order data.
Victim: The GmxProxy contract that does not perform its own validation.
Protocol: The system expecting properly validated data from the trusted perpVault.

Working Test Case

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.4;

/// @notice Interface for the GmxProxy's createOrder function.

interface IGmxProxy {

function createOrder(uint8 orderType, bytes calldata orderData) external returns (bytes32);

}

/// @notice A malicious vault contract that supplies invalid order data to GmxProxy.

contract MaliciousPerpVault {

IGmxProxy public proxy;

// Variable to store the request key returned from createOrder.

bytes32 public requestKey;

// Constructor sets the proxy address.

constructor(address _proxy) {

proxy = IGmxProxy(_proxy);

}

/// @notice Calls createOrder with deliberately invalid parameters.

function testInvalidOrder() external {

// Line 1: Construct invalid order data.

// For example, sizeDeltaUsd is set to 0 (invalid) and swapPath is empty.

bytes memory invalidOrderData = abi.encode(

address(0x1234567890123456789012345678901234567890), // Line 2: Market address

address(0x9876543210987654321098765432109876543210), // Line 3: initialCollateralToken

uint256(0), // Line 4: sizeDeltaUsd set to 0 (invalid)

uint256(1e18), // Line 5: initialCollateralDeltaAmount

true, // Line 6: isLong flag

new address[](0), // Line 7: empty swapPath

uint256(1e30), // Line 8: acceptablePrice

uint256(2000000), // Line 9: callbackGasLimit

uint256(1) // Line 10: minOutputAmount

);

// Line 11: Call createOrder with invalid data.

requestKey = proxy.createOrder(1, invalidOrderData);

}

Detailed Exploit Scenario

Setup:
- Deploy the GmxProxy contract (or use an existing instance).
- Deploy the MaliciousPerpVault contract with the GmxProxy address.
Attack Execution:
- The malicious vault (acting as the trusted perpVault) calls testInvalidOrder().
- The contract constructs an OrderData payload with invalid parameters (e.g, zero for sizeDeltaUsd and an empty swap path).
- The payload is passed to createOrder without any internal validations in GmxProxy.
Result:
- The GmxProxy forwards the invalid parameters to the GMX router.
- This may lead to misconfigured orders, unexpected reverts, or even orders that could be exploited for economic gain.

Tools Used

Manual Code Review

Recommendations

Input Validation:
Add explicit checks for key parameters (e.g., ensure sizeDeltaUsd > 0, collateral amounts within acceptable ranges, and valid token addresses).
Sanity Checks:
Validate swap paths and other array inputs to ensure they are non-empty and meet protocol expectations.
Defense in Depth:
Even though the perpVault is assumed to be trusted, incorporating additional validations within GmxProxy increases overall system robustness.

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas

Admin is trusted / Malicious keepers

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point. Keepers are added by the admin, there is no "malicious keeper" and if there is a problem in those keepers, that's out of scope. ReadMe and known issues states: " * System relies heavily on keeper for executing trades * Single keeper point of failure if not properly distributed * Malicious keeper could potentially front-run or delay transactions * Assume that Keeper will always have enough gas to execute transactions. There is a pay execution fee function, but the assumption should be that there's more than enough gas to cover transaction failures, retries, etc * There are two spot swap functionalies: (1) using GMX swap and (2) using Paraswap. We can assume that any swap failure will be retried until success. " " * Heavy dependency on GMX protocol functioning correctly * Owner can update GMX-related addresses * Changes in GMX protocol could impact system operations * We can assume that the GMX keeper won't misbehave, delay, or go offline. " "Issues related to GMX Keepers being DOS'd or losing functionality would be considered invalid."

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.