Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Insufficient Price Protection in GMX

iahristov1977

Summary

In our current implementation, the minOutputAmount parameter for GMX swap orders is hardcoded to 0. This means that there is no safeguard ensuring that a minimum amount of output tokens is received when executing a trade. Normally, this value should be calculated dynamically based on the expected output and a tolerable slippage margin. Without this protection, adverse market movements between the order's submission and execution can result in significantly worse execution rates than anticipated, potentially causing substantial losses.

Vulnerability Details

GMX Swaps have disabled price protection:

function _doGmxSwap(bytes memory data, bool isCollateralToIndex) internal {

// logic...

IGmxProxy.OrderData memory orderData = IGmxProxy.OrderData({

market: address(0),

indexToken: address(0),

initialCollateralToken: tokenIn,

swapPath: gPath,

isLong: isCollateralToIndex, // this param has no meaning in swap order, but uses it to see the swap direction

sizeDeltaUsd: 0,

initialCollateralDeltaAmount: 0,

amountIn: amountIn,

callbackGasLimit: callbackGasLimit,

=> acceptablePrice: 0,

minOutputAmount: minOutputAmount

});

_gmxLock = true;

gmxProxy.createOrder(orderType, orderData);

In GmxProxy:

function createOrder(Order.OrderType orderType, IGmxProxy.OrderData memory orderData) public returns (bytes32) {

// logic...

CreateOrderParamsNumbers memory paramsNumber = CreateOrderParamsNumbers({

sizeDeltaUsd: orderData.sizeDeltaUsd,

initialCollateralDeltaAmount: orderData.initialCollateralDeltaAmount,

triggerPrice: 0,

=> acceptablePrice: orderData.acceptablePrice, // acceptablePrice is 0

executionFee: positionExecutionFee,

callbackGasLimit: orderData.callbackGasLimit,

minOutputAmount: orderData.minOutputAmount,

validFromTime: 0

});

Impact

With acceptablePrice set to 0, the protocol does not enforce a minimum price threshold. This leads to:

Adverse Price Movements: A sudden unfavorable market movement could result in execution at a price far below what was anticipated.
Front-Running Risks: Malicious actors could exploit the absence of a price floor to trigger executions at severely disadvantageous rates.

Tools Used

Manual review

Recommendations

Instead of hardcoding acceptablePrice to 0, calculate it dynamically using real-time market data and a configurable slippage tolerance. This ensures that the order only executes if the received price is above a predetermined minimum threshold.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_swap_slippage_and_deadline

Slippage and deadline are handled externally. Paraswap implementation used by the current code (behind the proxy): https://etherscan.io/address/0xdffd706ee98953d3d25a3b8440e34e3a2c9beb2c GMX code: https://github.com/gmx-io/gmx-synthetics/blob/caf3dd8b51ad9ad27b0a399f668e3016fd2c14df/contracts/order/OrderUtils.sol#L150C15-L150C33

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!