Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Fees are not calculated correctly

ChainDefenders

Summary

The GmxProxy::getExecutionGasLimit function is responsible for estimating the gas required to execute various GMX operations, such as deposits, withdrawals, and swaps. However, the current implementation has critical flaws in how gas fees are calculated, leading to potential underpayment or overpayment of gas fees. These issues stem from static assumptions about the number of swaps and oracle prices, which do not account for dynamic transaction requirements.

Vulnerability Details

1. Static Assumption of Swap Count

The function assumes that only one swap will occur for all order types. This is evident in the following code:

estimatedGasLimit =

dataStore.getUint(DECREASE_ORDER_GAS_LIMIT) +

gasPerSwap; // Assumes only one swap

However, in practice, transactions may involve multiple swaps, especially in complex operations like multi-hop swaps or batch transactions. This static assumption leads to incorrect gas estimations.

2. Hardcoded Oracle Price Count

The function uses a hardcoded value for the number of oracle prices (oraclePriceCount = 5):

uint256 oraclePriceCount = 5; // Hardcoded value

This value is derived from the formula numberOfSwaps + 3, but it is not dynamically calculated. As a result:

If the number of swaps is greater than 2, the oracle price count will be underestimated, leading to insufficient gas fees.
If the number of swaps is less than 2, the oracle price count will be overestimated, causing users to overpay.

Impact

Insufficient Gas Fees:
- Transactions may fail due to insufficient gas, leading to a poor user experience and potential loss of funds.
- Failed transactions can also result in wasted gas fees.
Overpayment of Gas Fees:
- Users may pay more than necessary for gas, reducing the cost-effectiveness of the protocol.
- Overpayment can discourage users from using the platform, especially in high-frequency trading scenarios.

Tools Used

Manual Code Review

Recommendations

1. Dynamic Swap Count Calculation

Introduce a parameter to dynamically calculate the number of swaps based on the transaction requirements. For example:

function getExecutionGasLimit(

Order.OrderType orderType,

uint256 _callbackGasLimit,

uint256 numberOfSwaps // Add this parameter

) public view returns (uint256 executionGasLimit) {

// Use numberOfSwaps to calculate gasPerSwap

uint256 gasPerSwap = dataStore.getUint(SINGLE_SWAP_GAS_LIMIT) * numberOfSwaps;

}

2. Dynamic Oracle Price Count

Replace the hardcoded oraclePriceCount with a dynamic calculation based on the number of swaps:

uint256 oraclePriceCount = numberOfSwaps + 3; // Dynamic calculation

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_swapPath_does_not_increase_the_executionFee

Likelihood: Low/Medium, when swapPath has more than 1 item. Impact: Medium/High, could lead to not enough fee collected to execute the transaction in GMX

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!