simon135 - `manager.getPrice(false)` returns lower value than if it was true,which an attacker can take advantage of it

[github-actions[bot]]

simon135

high

manager.getPrice(false) returns lower value than if it was true,which an attacker can take advantage of it

Summary

manager.getPrice(false) returns a lower value than if it was true which is then a lower price that an attacker can take advantage of it

Vulnerability Detail

In the gmx docs:

The price of GLP is based on the total worth of all tokens in the pool and factors in pending profits and losses from all currently opened positions. Buy price: glpManager.getPrice(true) Sell price: glpManager.getPrice(false) Since there might be a spread for token pricing, passing in true into the getPrice function returns the maximum price at that point in time, while passing in false returns the minimum price.

---

Because getPrice(false) can be a lower value an attacker can take advantage of the smaller price and cause a loss to the protocol. ex:(pseudo example) getPrice(false)=2000 getPrice(true)=3000 If an attacker can buy tokens with the getPrice(false) they will get a discount and not pay 3000 per token

Impact

loss of funds

Code Snippet

return manager.getPrice(false) / (getEthPrice() * 1e4);

https://github.com/sentimentxyz/oracle/blob/e940955eba38562d2e27059787294e458e28fe7e/src/gmx/GLPOracle.sol#L43

Tool used

Manual Review

Recommendation

return getPrice(true) or you can have a parm that specifies buying or selling and figure out the price that way

[r0ohafza]

As suggested by the gmx tean the sell price of the glp token can be obtained by calling manager.getPrice(false), This is important since any liquidator liquidating an account will be receiving an equivalent amount of the underlying asset while selling glp. Also the PoC does not demonstrate any valid attack taking advantage of the mentioned issue.

[hrishibhat]

Closing this issue based on Sponsor comment.