Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Incorrect Collateral Balance Tracking in MarketDecrease

kimnoic

Summary

A critical accounting error exists in the afterOrderExecution callback when processing GMX MarketDecrease orders. The miscalculation of prevCollateralBalance leads to systematic underpayment of withdrawal amounts to users. This vulnerability stems from incorrect ordering of balance adjustment operations after receiving funds from GMX.

Vulnerability Details

Technical Background

When closing positions via MarketDecrease orders:

GMX returns collateral via orderResultData.outputAmount
Contract balance automatically increases before callback execution
prevCollateralBalance calculation attempts to track pre-operation state

Affected Code

// PerpetualVault.sol - afterOrderExecution

function afterOrderExecution(...) external {

// ...

} else if (orderResultData.orderType == Order.OrderType.MarketDecrease) {

// Flawed balance calculation:

uint256 prevCollateralBalance = collateralToken.balanceOf(address(this))

- orderResultData.outputAmount; // ← Vulnerability here

nextAction.data = abi.encode(

prevCollateralBalance, // Used in withdrawal calculations

sizeInUsd == 0,

false

);

}

Root Cause Analysis

The calculation assumes outputAmount was added to the balance after this line. However:

GMX transfers outputAmount before triggering callback
collateralToken.balanceOf() already includes outputAmount
Subtracting outputAmount creates an artificial undercount

Impact

Withdrawal calculations use inflated "previous" balance
Users receive less collateral than entitled
Protocol accrues unaccounted funds through systematic underpayment

Tools Used

manual review

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!