r0ohafza
commented
1 year ago Will be opening a communication channel with gmx to confirm this and mitigate the issue.
Closed github-actions[bot] closed 1 year ago
r0ohafza
commented
1 year ago Will be opening a communication channel with gmx to confirm this and mitigate the issue.
r0ohafza
commented
1 year ago Confirmed with the gmx team that this issue has been resolved!
zobront
commented
1 year ago for Sherlock judging: confirming this issue should no longer be valid if GMX says issue is resolved.
hrishibhat
commented
1 year ago Closing this issue based on the comments and on the condition that the GMX issue has been resolved.
obront
medium
GLP price may be slightly understated due to GMX math error, which could lead to unfair liquidations
Summary
GMX has a disclosed math error in the contracts which lead to the GLP price being slightly overstated (up to ~0.6%). The GLPOracle relies on the faulty function, and should therefore compensate for this error to avoid unfair liquidations.
Vulnerability Detail
There is an error in GMX's calculation for the GLP price based on a miscalculation performed when closing short positions. The details of this issue are laid out here: https://twitter.com/BatchBrewCoder/status/1605291751476002816
GMX has responded to the disclosure, acknowledging the issue and setting a benchmark that GLP prices may be understated by approximately 0.6% on Arbitrum: https://twitter.com/GMX_IO/status/1605387484656832514
While 0.6% is a small amount, it may be the difference between a user being liquidated and not. For example:
Impact
Users may be unfairly liquidated because GLP price is slightly lower than it should be.
Code Snippet
https://github.com/sherlock-audit/2023-01-sentiment/blob/main/oracle/src/gmx/GLPOracle.sol#L42-L45
Tool used
Manual Review
Recommendation
Do not launch a GLP Oracle until GMX has confirmed this issue is fully resolved. If necessary, add an owner controlled value into the contract that slightly increases the oracle price to ensure it accounts for this inaccuracy.