Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Users Will Overpay For Execution Fees If Order Is A Market Swap Order

sakshamseth5

Summary

Users orders requesting a market swap order from GMX will always overpay for the execution fee , this is because oraclePriceCount has been hardcoded to 5

Vulnerability Details

Consider the following ->

1.) Leverage of the perp vault is 1x and positionIsClosed is false (1x long position).

2.) A user comes to deposit , calls deposit() and since positionIsClosed is false _payExecutionFee() is triggered (L238) ->

if (positionIsClosed) {

MarketPrices memory prices;

_mint(counter, amount, false, prices);

_finalize(hex'');

} else {

_payExecutionFee(counter, true);

3.) Inside _payExecutionFee() ->

function _payExecutionFee(uint256 depositId, bool isDeposit) internal {

uint256 minExecutionFee = getExecutionGasLimit(isDeposit) * tx.gasprice;

4.) Inside getExecutionGasLimit() since _isLongOneLeverage is true (1x long position) ->

function getExecutionGasLimit(bool isDeposit) public view returns (uint256 minExecutionGasLimit) {

if (positionIsClosed == false) {

if (_isLongOneLeverage(beenLong)) {

minExecutionGasLimit = gmxProxy.getExecutionGasLimit(Order.OrderType.MarketSwap, callbackGasLimit);

}

5.) getExecutionGasLimit() is called from GmxProxy.sol , and there the uint256 oraclePriceCount = 5; is hardcoded , for our normal swap order (Market Swap Order) we wouldn't need 5 oracles and would need maximum of two oracles , therefore multiplying by 5 will produce a way higher base gas limit ->

uint256 oraclePriceCount = 5; // maximum number of oralce prices

baseGasLimit +=

dataStore.getUint(ESTIMATED_GAS_FEE_PER_ORACLE_PRICE) *

oraclePriceCount;

Impact

Users are overcharged for the execution fees specially for swaps , and since excess fees sent to GMX is not refunded to users in gamma this is a loss of funds for the users.

Tools Used

Manual analysis

Recommendations

Dont' hardcode oraclePriceCount to 5.

Updates

Lead Judging Commences

n0kto Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.