hack3r-0m - net negative sum outcome when liquidating below cetain size

[sherlock-admin]

hack3r-0m

high

net negative sum outcome when liquidating below cetain size

Summary

keeper gets paid via treasury for liquidating underwater positions, if net gain for protocol + keeper is less than gas and resources required to liquidated then it is net loss for the protocol

Vulnerability Detail

there is no minimum amount of collateral required to open a position via createOrder, a malicious actor can open market increase order with very low amount and max leverage. If that account gets underwater, keeper liquidates it and gets paid by treasury but max amount that treasury can get is initial deposit collateral which can be less than potential bad debt accrued + liquidation fees paid to keeper.

(note: exeuctionFee paid by user is for executing order which is conusumed (and / or partially refunded) when order is executed which is seperate from cost of liquidating that account)

Impact

As mentioned above, in such cases, it will be net loss for protocol and user can make mass risk-free trades.

example for a specifc market:

3$ collateral at 50x leverage long + 0.15$ executionFee
3$ collateral at 50x leverage short + 0.15$ executionFee

prices move in either direction such that one of the position's value is > 6.3$ (total cost to trader) and other account is underwater (collateral < PnL), so there is net loss for protocol to pay for bad debt + cost of liquidating one of the position.

borrowing fees doesn't help here because attacking trader doesn't care about recovering collateral from one of the underwater position.

Code Snippet

• https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/order/OrderUtils.sol#L170-L171
• https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/router/ExchangeRouter.sol#L168
• https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/liquidation/LiquidationUtils.sol#L23

Tool used

Manual Review

Recommendation

require minimum collateral delta to be greater than some notional threshold (for e.g 10$)

[hack3r-0m]

Escalate for 10 USDC

This should be medium severity under https://docs.sherlock.xyz/audits/judging/judging#how-to-identify-a-medium-issue:

A material loss of funds, no/minimal profit for the attacker at a considerable cost

no profit for attacker while loss (considerable magnitude) for treasury and / or keeper

[sherlock-admin]

Escalate for 10 USDC

This should be medium severity under https://docs.sherlock.xyz/audits/judging/judging#how-to-identify-a-medium-issue:

A material loss of funds, no/minimal profit for the attacker at a considerable cost

no profit for attacker while loss (considerable magnitude) for treasury and / or keeper

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[IllIllI000]

There is a MIN_COLLATERAL_USD and it's checked during increases

[hrishibhat]

Escalation rejected

This is not a valid issue as the mentioned scenario is not possible due to the checks present

[sherlock-admin]

Escalation rejected

This is not a valid issue as the mentioned scenario is not possible due to the checks present

This issue's escalations have been rejected!

Watsons who escalated this issue will have their escalation amount deducted from their next payout.