The VaultReader
contract has a vulnerability in how it calculates collateral sufficiency and liquidation conditions, allowing manipulation of position data. Attackers can potentially distort liquidation logic by influencing how basePnlUsd
and position size are computed, leading to incorrect liquidations or bypassing liquidation entirely.
The contract relies on external data sources (gmxReader.getPositionInfo()
, dataStore.getUint()
) to determine position size, collateral, and fees. However, these values can be manipulated or stale, leading to incorrect calculations.
Affected code:
The function assumes getPositionSizeInUsd()
always returns valid data, but if an attacker manipulates the dataStore
, it may return incorrect or stale values, leading to incorrect liquidations.
Issue: If an attacker inflates positionInfo.basePnlUsd
, they can artificially increase collateral value, delaying liquidation or causing incorrect PnL calculations.
Risk: This allows price manipulation, especially in low-liquidity markets where attackers influence market prices to prevent liquidation.
The function willPositionCollateralBeInsufficient()
determines whether a position has sufficient collateral, but the logic can be manipulated by adjusting:
basePnlUsd
collateralAmount
fundingFeeAmount
Delayed or Prevented Liquidations: Attackers inflate collateral artificially to avoid liquidation.
Forced Liquidations of Other Users: Malicious actors manipulate market prices to cause liquidations of other traders.
Protocol Insolvency: If undercollateralized positions remain open, bad debt accumulates, causing systemic risk to the protocol.
Ensure fresh, non-manipulated data is used for calculations:
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point. Keepers are added by the admin, there is no "malicious keeper" and if there is a problem in those keepers, that's out of scope. ReadMe and known issues states: " * System relies heavily on keeper for executing trades * Single keeper point of failure if not properly distributed * Malicious keeper could potentially front-run or delay transactions * Assume that Keeper will always have enough gas to execute transactions. There is a pay execution fee function, but the assumption should be that there's more than enough gas to cover transaction failures, retries, etc * There are two spot swap functionalies: (1) using GMX swap and (2) using Paraswap. We can assume that any swap failure will be retried until success. " " * Heavy dependency on GMX protocol functioning correctly * Owner can update GMX-related addresses * Changes in GMX protocol could impact system operations * We can assume that the GMX keeper won't misbehave, delay, or go offline. " "Issues related to GMX Keepers being DOS'd or losing functionality would be considered invalid."
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point. Keepers are added by the admin, there is no "malicious keeper" and if there is a problem in those keepers, that's out of scope. ReadMe and known issues states: " * System relies heavily on keeper for executing trades * Single keeper point of failure if not properly distributed * Malicious keeper could potentially front-run or delay transactions * Assume that Keeper will always have enough gas to execute transactions. There is a pay execution fee function, but the assumption should be that there's more than enough gas to cover transaction failures, retries, etc * There are two spot swap functionalies: (1) using GMX swap and (2) using Paraswap. We can assume that any swap failure will be retried until success. " " * Heavy dependency on GMX protocol functioning correctly * Owner can update GMX-related addresses * Changes in GMX protocol could impact system operations * We can assume that the GMX keeper won't misbehave, delay, or go offline. " "Issues related to GMX Keepers being DOS'd or losing functionality would be considered invalid."
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.