Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Stuck WETH from GMX ETH Transfer Fallback In `GmxProxy`

0xdarko

Summary

The GmxProxy contract can receive WETH from GMX when ETH transfers fail during ADLs/liquidations, but lacks functionality to withdraw this WETH, potentially leading to permanently locked funds in the contract.

Vulnerability Details

GMX's integration documentation explicitly states that when ETH transfers fail due to insufficient gas or other errors, the protocol will send WETH instead:

ETH transfers are sent with NATIVE_TOKEN_TRANSFER_GAS_LIMIT for the gas limit, if the transfer fails due to insufficient gas or other errors, the ETH is sent as WETH instead

Accounts may receive ETH for ADLs / liquidations, if the account cannot receive ETH then WETH would be sent instead

The GmxProxy contract currently handles ETH withdrawals:

function withdrawEth() external onlyOwner returns (uint256) {

uint256 balance = address(this).balance;

payable(msg.sender).transfer(balance);

return balance;

}

Impact

If GMX's ETH transfer fails and falls back to WETH, these funds will be permanently locked in the GmxProxy contract
This impacts the protocol's ability to fully recover assets during liquidation/ADL events where ETH transfers fail

Tools Used

Manual review
GMX integration documentation analysis

Recommendations

Add WETH withdrawal functionality to the GmxProxy contract:

function withdrawWeth() external onlyOwner {

uint256 balance = IERC20(WETH).balanceOf(address(this));

IERC20(WETH).safeTransfer(msg.sender, balance);

}

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_gmx_send_WETH_fees

`TokenUtils.sol::sendNativeToken()` has no reason to fail since there is a `receive` function without any instruction in the GmxProxy. It’s the simpliest and cheapest transfer possible. Good finding, but there is no likelihood.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!