Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Cross-Protocol State Contamination

kimnoic

Summary

A critical state management vulnerability exists in the _runSwap function due to shared state variables across multiple swap protocols (DEX/GMX). This allows residual swap progress data from failed operations to corrupt subsequent transactions, leading to fund duplication and accounting inconsistencies. The root cause is the improper reuse of the swapProgressData structure between different swap protocols.

Vulnerability Details

Technical Background

The swapProgressData struct tracks swap progress across operations:

struct SwapProgress {

bool isCollateralToIndex;

uint256 swapped; // Accumulated across protocols

uint256 remaining;

}Vulnerability Details

When processing multi-protocol swaps:

function _runSwap(bytes[] memory metadata, ...) internal {

if (metadata.length == 2) {

// Processes DEX then GMX swap

swapProgressData.swapped += _doDexSwap(...); // ← State contamination point

_doGmxSwap(...);

}

Impact

Attack Vectors

State Contamination Sequence:

Initial Legitimate Swap
- DEX swap completes partially: swapped = 5 ETH
- GMX swap fails (e.g., slippage error)
Malicious Exploitation
- Attacker initiates new swap with same collateral pair
- Contract uses residual swapped=5 value
- New swap amount calculation includes contaminated data

Proof of Concept

Attack Transaction Flow:

// Transaction 1: Failed hybrid swap

bytes[] memory metadata = [

encodeDexSwap(5 ETH), // Succeeds

encodeGmxSwap(5 ETH) // Fails

];

vault.runNextAction(prices, metadata); // Leaves swapProgressData.swapped=5

// Transaction 2: Exploit residual state

bytes[] memory newMetadata = [encodeDexSwap(5 ETH)];

vault.runNextAction(prices, newMetadata);

// Actual swapped: 5 + 5 = 10 ETH

// Reported swapped: 5 (prev) + 5 = 10 (correct)

// BUT shares minted with 10 ETH value while actual swap only 5 ETH

Tools Used

Double-counting of swap amounts between protocols
Artificial inflation of minted shares
Protocol insolvency due to reserve/accounting mismatch
Indirect price manipulation through fake swap volumes

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!