GammaSwap Edge Case Vulnerability Identified

Daniel Alcarraz, CFA
GammaSwap Labs
Published in
3 min readOct 11, 2023

An edge case in the protocol has been reported by a whitehat via ImmuneFi. To ensure the solvency of the protocol, current contracts have been frozen given they are non-upgradeable. The interface will migrate to updated contracts soon.

All trade (borrow) positions have been closed. Liquidity positions are in withdrawal mode only. No funds are currently at risk.

As many of you know, GammaSwap is a novel oracle free volatility DEX that is completely unique, which opens up new trading strategies but also potential vulnerabilities by would-be attackers.

Our ImmuneFi bounty has been up for several weeks and we received a potentially critical issue today regarding an edge case found. It is an edge case that is quite difficult to execute and can only happen under a certain uncommon scenario, however, we have decided to freeze the contracts and enter withdrawal mode only. All trade (loan) positions have been closed and collateral is able to be redeemed. No funds are currently at risk.

GammaSwap was built to be immutable and permissionless. We are aware that the protocol is novel and that’s why we spent 9 months testing on Arbitrum Testnet and began with a “soft launch” without token incentives + only a few pools. We will always be transparent with our community and do what is in the best interests of our users. Our conservative approach is intentional and designed to preserve the solvency of the protocol.

Although not an ideal situation, we are glad that the protocol is 100% solvent and that we can come back from this even stronger with a robust primitive that will stand the test of time.

Instructions for Traders

If you had a trade (loan) position opened, it will be closed now and there may be additional collateral for you to withdraw.

To see your closed positions and to withdraw collateral navigate first to the Portfolio Page, click on the Borrowed tab and then click the button View History.

Once you have clicked the View History button, you should see the below screen.

If you have any positions that were forcibly closed, there may be collateral to withdraw.

Simply click Withdraw Collateral and you should receive the collateral tokens directly in your wallet.

Instructions for Liquidity Providers

Navigate to the Portfolio section and click on the Supplied tab.

Once on the Supplied tab, click on a Liquidity Position you would like to close.

This will navigate you to the pool page. Click the Withrdaw button, click Max and Approve then Confirm the transaction.

The collateral tokens should be in your wallet after the transaction confirms.

What’s next?

  1. Issue a post-mortem report
  2. Work with security auditors to address the issue
  3. Redeploy the contracts

--

--