It seems that two security vulnerabilities were discovered by a team called Zellic in various forks of the Gains Network protocol. The first vulnerability allowed an attacker to bypass a check that prevented opening trades at extremely high prices, potentially leading to significant profits for the attacker. This vulnerability was found in a specific fork and not in the current version of Gains Network.
A report from blockchain security firm Zellic, published on April 19, revealed that two distinct vulnerabilities in a specific branch of the Gains Network trading protocol could have enabled traders to secure astronomical profits of up to 900% on each trade, irrespective of the token’s price. One of these bugs was identified in an earlier iteration of Gains and had since been rectified. The second vulnerability, however, was unique to that particular fork of the protocol.
Based on Zellic’s announcement, the developers of Gambit Trade, Holdstation Exchange, and Krav Trade were made aware by Zellic’s team of a vulnerability in their respective forks of Gains. These teams have since taken steps to address the issue and ensure their protocols are free from these particular flaws. However, Zellic cautioned that other versions of Gains forks could still be at risk.
Based on its own website, Gains Network represents a decentralized finance (DeFi) system offering various products on Polygon and Arbitrum. The name given for its leveraged trading application is “gTrade.” Since its launch in May 2023, it has recorded more than $25 billion in derivatives trading volume, as reported by DefiLlama, a blockchain analytics platform.
Zellic asserted that numerous widely-used Decentralized Finance (DeFi) trading applications are built upon Gains Network’s foundational codebase. Among these are Gambit Trade and Holdstation, plus various other protocols. While examining a specific fork, they identified an exploit but chose not to disclose which fork it was in.
Based on the findings in the report, Gains Network users have the option to place three different types of orders for trading assets: market, reversal, and momentum. A market order is executed instantly at the current market price, disregarding any price fluctuations.
As a crypto investor, when I place a momentum or reversal trade through the smart contract, an “order” is recorded with details about the desired trade price. Once that price is hit in the market, any user has the ability to activate the order by triggering the executeLimitOrder function. It’s important to note that the user initiating the execution doesn’t necessarily have to be the one who originally placed the order. In return for their role in executing the trade, the user receives a small “execution fee” payment.
Users have the ability to set limit and stop-limit orders just like on a traditional exchange, yet without relying on a centralized intermediary for order execution.
As a crypto investor, I can make use of the feature that enables me to determine specific prices for closing my trades automatically. By setting a take-profit price, I aim to secure profits when a trade reaches that level, while a stop-loss price is intended to limit potential losses if the market moves against me. The purpose of these orders is to provide an automated exit strategy based on predefined conditions.
Bug in Gains fork allowed 900% profit on buy orders
As a researcher studying the Gains fork trading system, I came across an intriguing discovery regarding the handling of stop-loss orders. When initiating an order, the stop-loss price would be saved in the “currentPrice” variable used for calculating profits and losses. Consequently, if a trader managed to set their stop-loss price above the opening price, they would automatically secure profits from any subsequent price movements.
As a financial analyst, I’d rephrase it like this: When Bitcoin’s (BTC) price was at $63,000 and you set your open position at $62,000 with a stop-loss at $64,000, if the price dropped to $62,000, your order would be filled. However, since the price is now right below your designated stop-loss, an automatic exit will be initiated.
Furthermore, the user’s designated stop-loss price would be logged as the current market value. Consequently, the user would pocket a $2,000 profit, though the actual gain should have been around $0. This vulnerability could potentially enable an attacker to generate profits on every trade and ultimately empty out the protocol’s funds.
As a researcher investigating potential vulnerabilities in trading protocols, I would recommend implementing a safeguard measure to prevent users from setting a stop-loss price above their initial purchase price on a buy order. To achieve this, the protocol should include a verification mechanism that checks for inconsistencies and throws an error message labeled as “wrong_sl” when such an attempt is made by the user.
However, the investigators discovered that this check could be bypassed in certain circumstances.
When a user initiates an order for the first time, they specify the desired entry price, which gets saved in the “openPrice” variable. At this stage, a check is carried out. Nevertheless, the function responsible for processing orders alters the “openPrice” variable to equal “a.Price” plus any price impact from the new trade being initiated. In simpler terms, when a user initiates an order, they initially set the entry price, which gets recorded. A check is then conducted. However, as the order is executed, this initial entry price gets replaced with the current market price plus any additional cost due to the order size (price impact).
If a user inputted an unusually high opening price, the system would enable an executor to process the order without triggering the price check, resulting in filling the order at a lower open price.
For instance, Zellic pondered over a hypothetical scenario involving an adversary who intends to purchase a token priced at one quadrillion dollars ($100000e10) and sets a stop-loss at almost the same value, specifically at $999.999999999998 trillion. Following the placement of this order, the adversary carries out their own transaction, resulting in an alteration of openPrice to reflect the new price following the trade’s price adjustment.
Once the trade is completed and active, if the subsequent opening price falls below the initially established stop-loss level, that position can be terminated by triggering the stop-loss order. When an adversary carries out their stop-loss transaction, they realize profits from the gap between the finalized price and the price at which their stop-loss was placed.
The trade would have resulted in a 900% profit for the attacker, Zellic claimed.
The first flaw we uncovered wasn’t part of the original Gains Network when the Zellic team identified it. Instead, it emerged in the forked variation we were examining. However, during our investigation into this matter, we stumbled upon a second issue that had been present in an earlier version of Gains itself.
Second bug allowed 900% profit on sell orders
The second bug allowed traders to profit 900% on sell orders regardless of price action.
In the Gains fork, when a trade is concluded, the platform converts a user’s specified stop-loss or take-profit level into a variable named “int.” This variable is then employed to determine profit as a percentage. However, if a user sets a stop-loss or take-profit value equal to 2^256-1, the subsequent calculations would result in a negative value for “int.”
In Ethereum, the maximum value for positive numbers is represented by 2^256-1. When attempting to add a value above this limit to the total in Solidity programming language, the calculation will result in an “overflow,” causing it to restart from zero instead. This value is also referred to as “type(uint256).max.”
Based on Zellic’s findings, if an attacker employed a leverage of more than 9 times the original investment, they would potentially stand to gain a return of over 900%.
“Let’s consider a sell order, with currentPrice as type(uint256).max. The resultant value of diff would be openPrice + 1 (int(type(uint256).max) = -1 ), and hence the profit percent would be nearly equal to 100 * leverage. Therefore, if the leverage is greater than 9, the function will return the profit as 900%.”
As a researcher studying contract clauses in financial trading, I came across a provision aimed at preventing the entry of 2^256-1 as a take-profit level. This check was designed to be executed when an order was initially placed. However, I discovered a loophole: if a user altered their take-profit setting after the order had been opened, they could bypass this restriction and input 2^256-1 as their desired profit level. This oversight allowed users to potentially gain an automatic profit of approximately 900% each time they traded.
In an earlier iteration of Gains, there was a issue with the second error that had been addressed through an update. Now, the revised version avoids this problem because it carries out a verification process not just when take-profit and stop-loss are adjusted, but also upon their initial setup.
Zellic allegedly shared information about the two identified security vulnerabilities with all the mentioned forks and reached out to the Crypto Security Alliance to explore other potentially affected protocols. Yet, a cautionary note was issued as some Gains fork versions might still harbor these bugs, potentially exposing users’ funds to draining risks.
As a crypto investor, I reached out to CryptoMoon to inquire about their attempts to contact Gains Network, Gambit Trade, Holdstation Exchange, and Krav Trade for comments. However, at the time of publishing this article, I have not received any responses from these exchanges.
According to Gains Network, they deliver the authentic market price for listed assets instead of what they consider to be less precise figures derived from perpetual contracts. Moreover, they boast about having better forex trading capabilities than their competitors.
Read More
- Top gainers and losers
- JASMY PREDICTION. JASMY cryptocurrency
- DOP PREDICTION. DOP cryptocurrency
- MOCHI PREDICTION. MOCHI cryptocurrency
- SILLY PREDICTION. SILLY cryptocurrency
- LDO PREDICTION. LDO cryptocurrency
- STOG PREDICTION. STOG cryptocurrency
- KAI PREDICTION. KAI cryptocurrency
- EUR JPY PREDICTION
- COTI PREDICTION. COTI cryptocurrency
2024-05-09 23:40