An attacker can avoid being auto Delevareged by using the keepers input to its disadvantage
Summary
An attacker can avoid being auto Delevareged by using the keepers' input to its disadvantage
Vulnerability Detail
When the long token dosnt equal the index token the system can become insolvent, to solve this we auto-deleverage positions.
But an attacker can get around adl, by updating the position by x (x=sizeInusd) and since this check below would revert the keeper won't execute it and the positions wont get delevareged which can make the protocol unsolvent
if (params.sizeDeltaUsd > position.sizeInUsd()) {
revert InvalidSizeDeltaForAdl(params.sizeDeltaUsd, position.sizeInUsd());
}
ex:
bob has $10,000 of collateral and has 10x leverage on his position = $100,000
Now, let's say the price of an index token suddenly drops by 50%, below Bob's liquidation price. At this point, Bob's position is highly leveraged, and he has lost $50,000, which is five times his initial collateral. Then the exchange might have to take the bad debt.
the keeper makes a tx to add the position and decrease the leverage
bob front runs the keeper and makes the position.sizeInUsd-1
the keeper function would revert which is an issue in itself but the effects of a revert mean if there is a huge decrease in price(rapid rate ) the protocol won't be able to recover and the attacker(bob) will cause bad debt
Impact
bad debt to the protocol
Code Snippet
if (params.sizeDeltaUsd > position.sizeInUsd()) {
revert InvalidSizeDeltaForAdl(params.sizeDeltaUsd, position.sizeInUsd());
}
simon135
high
An attacker can avoid being auto Delevareged by using the keepers input to its disadvantage
Summary
An attacker can avoid being auto Delevareged by using the keepers' input to its disadvantage
Vulnerability Detail
When the long token dosnt equal the index token the system can become insolvent, to solve this we auto-deleverage positions. But an attacker can get around adl, by updating the position by x
(x=sizeInusd)and since this check below would revert the keeper won't execute it and the positions wont get delevareged which can make the protocol unsolventex: bob has $10,000 of collateral and has 10x leverage on his position = $100,000 Now, let's say the price of an index token suddenly drops by 50%, below Bob's liquidation price. At this point, Bob's position is highly leveraged, and he has lost $50,000, which is five times his initial collateral. Then the exchange might have to take the bad debt.
position.sizeInUsd-1 the keeper function would revert which is an issue in itself but the effects of a revert mean if there is a huge decrease in price(rapid rate ) the protocol won't be able to recover and the attacker(bob) will cause bad debtImpact
bad debt to the protocol
Code Snippet
https://github.com/gmx-io/gmx-synthetics/blob/f88b0ad5eaa3c367edcb489e1cbede00528750fe/contracts/adl/AdlUtils.sol#L129-L131
Tool used
Manual Review
Recommendation
remove that check or make keepers use flash bots