GMX V1 BOUNTY (3)

0xWeiss
1 min readJan 2, 2024

--

Incorrect requirement to send execution fee when creating an order

This issue is part of a different set of vulnerabilities that 0xKato and I (0xWeiss) found during the review of Lexer Markets V2, which was forking GMX V1.

If you are a protocol owner or someone integrating with GMX V1, GMX V2, or LEXER Markets, reach out to my DMs on Twitter: 0xWeiss or email: mweiss.eth@gmail.com . We will make sure your code is as secure as possible.

REPORT:

GMX requires a user to send an execution fee in the createSwapOrder and createIncreaseOrder. The execution fee is validated by the following check: require(_executionFee >= minExecutionFee, "OrderBook: insufficient execution fee");

There is a mistake when assigning the comparison operators in the require statement in createDecreaseOrder as can be seen below: require(msg.value > minExecutionFee, "OrderBook: insufficient execution fee");

This means that a user will have to pay more in execution fees than the minimum requirement, resulting in additional lost funds for the users.

PoC:

it.only("Incorrect requirement to send execution fee when creating an order", async () => {

await positionManager.setOrderKeeper(user1.address, true)

await positionManager.connect(user1).increasePosition([dai.address], btc.address, expandDecimals(50000, 18), 0, toUsd(100000), false, toNormalizedPrice(50000))

await router.connect(user1).approvePlugin(orderBook.address)

let executionFee = orderBook.minExecutionFee();

await orderBook.connect(user1).createDecreaseOrder(
btc.address, // indexToken
toUsd(10000), // sizeDelta
dai.address, // collateralToken
toUsd(5000), // collateralDelta
false, // isLong
toUsd(0), // triggerPrice
true, // triggerAboveThreshold
{value: executionFee}
);

let orderIndex = (await orderBook.decreaseOrdersIndex(user1.address)) - 1

expect(await positionManager.connect(user1).executeDecreaseOrder(user1.address, orderIndex, user1.address)).to.be.revertedWith("OrderBook: insufficient execution fee");
})

--

--