ADL can result in unwrapped ETH as output which is not handled
Summary
Based on the docs and GMX V2 code, output token from ADL order can be unwrapped ETH which is not handled in the current implementation.
From https://github.com/gmx-io/gmx-synthetics?tab=readme-ov-file#integration-notes:
Accounts may receive ETH for ADLs / liquidations, if the account cannot receive ETH then WETH would be sent instead
Vulnerability Details
In AdlUtils::createOrder() (reference), we can see that shouldUnwrapNativeToken is set to true, which will result in sending the native token to the position account later in transferOut() (reference). Additionally, since GmxProxy implements a receive() functionality, it can receive ETH instead of WETH.
The following snippet in GmxProxy.sol aims to handle ADL scenario and send funds to PerpetualVault, but it does not account the scenario mentioned above.
Impact
Stuck tokens + loss of funds for depositors.
Tools Used
Manual review.
Recommendations
Consider checking if output token is ETH and swap it to collateral token or wrap it when received so it will be swapped like it is done before every every action.
Lead Judging Commences
invalid_gmx_send_WETH_fees
`TokenUtils.sol::sendNativeToken()` has no reason to fail since there is a `receive` function without any instruction in the GmxProxy. It’s the simpliest and cheapest transfer possible. Good finding, but there is no likelihood.
Appeal created
finding_ADL_unwrap_ether_for_WETH_market
Impact: High, native ETH is sent to Gamma and won’t be accounted or withdrawn with the shares. Lead to revert of the transfer in the proxy. Likelihood: Low/Medium: Happen during ADL order (too many PnL), only on WETH/USDC market.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.