Liquidity Management

Summary

A vulnerability in the price impact calculation during deposits into GMX allows an attacker to artificially inflate the number of shares they receive while devaluing shares held by existing depositors. By strategically timing deposits with price fluctuations and injecting large amounts of capital, an attacker can extract value at the expense of other users. This results in unfair losses for existing depositors, ultimately draining value from the system.

Vulnerability Details

1. Price Impact Calculation in Deposits

When a user deposits collateral into GMX, the price impact is calculated using the VaultReader.getPriceImpactInCollateral() function in the afterOrderExecutionfunction. The price impact is then used to adjust the deposit amount before minting shares.

2. Share Minting Mechanism

The adjusted deposit amount is used to mint new shares. The issue arises because the calculation allows an attacker to mint a disproportionate number of shares when price impact is in their favor, devaluing the shares of existing depositors.

However, the above description is favourable to the new depositor in the case of negative price impact i.e (expectedSizeInTokensDelta <
realSizeInTokensDelta). But new innocent depositors can also be affected in case of a positive price impact i.e (expectedSizeInTokensDelta >
realSizeInTokensDelta). resulting in reduced share minting for new depositors and more share value or existing depositors

Impact

• Unfair Share Distribution: The attacker receives a larger share of the vault relative to their actual contribution.

• Existing Depositors Lose Value: The vault’s total share supply increases, reducing the value of each existing share.

POC

paste in /test/PerpetualVault.t.sol

** log result

alice lost 6413009424

bob gained 3182454942

Bob deposit instantly eats up more than 60% of alice fund