Incorrect requirement to send execution fee when creating an order
This issue is part of a different set of vulnerabilities that 0xKato and I (0xWeiss) found during the review of Lexer Markets V2, which was forking GMX V1.
If you are a protocol owner or someone integrating with GMX V1, GMX V2, or LEXER Markets, reach out to my DMs on Twitter: 0xWeiss or email: mweiss.eth@gmail.com . We will make sure your code is as secure as possible.
REPORT:
GMX requires a user to send an execution fee in the createSwapOrder and createIncreaseOrder. The execution fee is validated by the following check: require(_executionFee >= minExecutionFee, "OrderBook: insufficient execution fee");
There is a mistake when assigning the comparison operators in the require statement in createDecreaseOrder as can be seen below: require(msg.value > minExecutionFee, "OrderBook: insufficient execution fee");
This means that a user will have to pay more in execution fees than the minimum requirement, resulting in additional lost funds for the users.
PoC:
it.only("Incorrect requirement to send execution fee when creating an order", async () => {
await positionManager.setOrderKeeper(user1.address, true)
await positionManager.connect(user1).increasePosition([dai.address], btc.address, expandDecimals(50000, 18), 0, toUsd(100000), false, toNormalizedPrice(50000))
await router.connect(user1).approvePlugin(orderBook.address)
let executionFee = orderBook.minExecutionFee();
await orderBook.connect(user1).createDecreaseOrder(
btc.address, // indexToken
toUsd(10000), // sizeDelta
dai.address, // collateralToken
toUsd(5000), // collateralDelta
false, // isLong
toUsd(0), // triggerPrice
true, // triggerAboveThreshold
{value: executionFee}
);
let orderIndex = (await orderBook.decreaseOrdersIndex(user1.address)) - 1
expect(await positionManager.connect(user1).executeDecreaseOrder(user1.address, orderIndex, user1.address)).to.be.revertedWith("OrderBook: insufficient execution fee");
})