Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`PerpetualVault` collateral token is limited to USDC

izuman

Summary

When the contract is initialized the collateral token is set in the following line:

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/PerpetualVault.sol#L192-L194

collateralToken = IERC20(marketInfo.shortToken);

This means the collateral token is restricted to the markets short token which for all the current GMX markets on Arbitrum and Avalanche is USDC.

Here you can see all the collaterl for short positions is USDC:

https://app.gmx.io/#/trade/short

Here is how the short token is determined in GMX:

https://github.com/gmx-io/gmx-synthetics/blob/ca84cb460b031a867ac193ad241d230bb6c2f840/contracts/market/Market.sol#L13-L16

Thus, the vault's collateral token is limited to only USDC. This is in contrast to the intended design of the vault: https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/PerpetualVault.sol#L160

Vulnerability Details

USDC is the only collateral token supported

Impact

Only USDC can be deposited as a collateral token into the vault.

Tools Used

Manual Review and Foundry

Recommendations

There are multiple options:

  1. Only support USDC as collateral and leave the contract logic unchanged

  2. Use paraswap or a similar DEX to swap the deposited token into the collateral token.

  3. Lastly, adding support for a collateral token that is not the market's short token would require a major change.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!