Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Slippage Protection Missing in Withdrawals, Causing Unexpected Losses

olami9783

Summary

The withdrawal process lacks slippage protection, which can cause users to receive significantly less than expected due to price fluctuations or on-chain execution delays. This is particularly problematic for users withdrawing large amounts or when market conditions change between transaction submission and execution.

Additionally, the governance fee is only applied if the withdrawal amount exceeds the original deposit. However, if slippage causes the final received amount to drop below expectations, the user may unintentionally pay a governance fee on a lower-than-expected withdrawal, leading to an unfair deduction.

Vulnerability Details

A user submits a withdrawal request expecting to receive exactly 5,000 collateral tokens, expects to withdraw 5,500 tokens (a 500-token profits).
Before execution, the market shifts, reduces their real withdrawal amount to 5,200 tokens.
The system still assumes a 500-token profit instead of the actual 200-token profit
Governance fee is overcharged based on a non-existence profit.
The user receive less then expected after fees are deducted from the incorrect profit amount.

Impact

Users may receive less than anticipated during withdrawal due to price fluctuation, leading to potential financial loss.
Governance fee miscalculation if profit appears higher due to slippage unexpected slippage.
Users unknowingly overpay fees due to slippage reducing their real profit.
Exploitable via front-running: A malicious actor can manipulate market conditions (e.g., large sell orders) before a user's withdrawal executes, causing slippage that results in the user paying a higher governance fee than necessary.

Tools Used

Manual Review

Recommendations

Compute profit based on the actual received amount after slippage, rather than exepcted amounts.
Allow users to specify a minimum expected amount (slippage tolerance) before executing the withdrawal.
Verify final withdrawn amount before applying governance fees, ensuring that users do not overpay.

Updates

Lead Judging Commences

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_gmx_increase/decrease_no_slippage

acceptablePrice does that job for increase/decrease positions. https://github.com/gmx-io/gmx-synthetics/blob/caf3dd8b51ad9ad27b0a399f668e3016fd2c14df/contracts/order/BaseOrderUtils.sol#L276C49-L276C66

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.