Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Reliance on External Systems (GMX and Chainlink) could lead to financial losses, unfair liquidations, and protocol instability

dcent09

Summary

The contract relies heavily on external systems, such as GMX and Chainlink, for retrieving position information and market prices. If these systems are compromised, delayed, or manipulated, it could lead to incorrect data being used in the protocol.

Vulnerability Details

The vulnerability can be found in the lines of code below;

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/VaultReader.sol#L48-L94

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/VaultReader.sol#L96-L113

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/VaultReader.sol#L115-L155

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/VaultReader.sol#L157-L169

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/VaultReader.sol#L171-L190

Proof of Concept (PoC):

  • An attacker manipulates the Chainlink price feed for a token, causing it to report an artificially low or high price.

  • The getPositionInfo function uses the manipulated price to calculate position data, leading to incorrect valuations.

  • Example:

    PositionInfo memory positionInfo = gmxReader.getPositionInfo(
    address(dataStore),
    referralStorage,
    key,
    prices,
    uint256(0),
    address(0),
    true
    );

    If prices are manipulated, the position data will be incorrect.

Impact

Incorrect data could lead to financial losses, unfair liquidations, and protocol instability

Tools Used

Deepseek

Recommendations

  • Use multiple independent price oracles to validate prices and reduce reliance on a single source.

  • Implement price deviation checks to detect and respond to anomalies.

  • Add a grace period for price updates to account for potential delays

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!