Blockchain security firm Zellic has discovered two critical bugs in a fork of the Gains Network leveraged trading protocol that could have allowed traders to profit 900% on every trade, regardless of the price of the token being traded.
The findings, reported on April 19, highlight the potential risks associated with forks of popular decentralized finance (DeFi) protocols and the importance of thorough security audits.
TLDR
- Two bugs in a fork of the Gains Network leveraged trading protocol could have allowed traders to profit 900% on every trade, regardless of the price of the token traded.
- One bug, found only in a fork of Gains, allowed users to set a stop-loss above the open price on a buy order, automatically profiting from any trade and potentially draining the protocol of all its funds.
- The second bug, found in a previous version of Gains but later patched, allowed traders to profit 900% on sell orders by entering a specific value (2^256-1) as the take-profit or stop-loss, causing an overflow in the profit calculation.
- Zellic informed the developers of Gains forks Gambit Trade, Holdstation Exchange, and Krav Trade about the vulnerabilities, and these teams have ensured their protocols are not affected. However, other Gains forks may still be vulnerable.
- In a separate incident, a trader front-ran Gains Network’s listing on Binance, buying $208,000 worth of GNS tokens less than 30 minutes before the listing and making a profit of $106,000.
Gains Network is an ecosystem of DeFi products on Polygon and Arbitrum, with its leveraged trading app “gTrade” facilitating over $25 billion in derivatives volume since its launch in May 2023.
Several popular DeFi trading apps have been derived from Gains Network’s base code, including Gambit Trade, Holdstation Exchange, and Krav Trade.
The first bug, found only in a fork of Gains Network, allowed users to set a stop-loss above the open price on a buy order, automatically profiting from any trade.
- For example, if the price of Bitcoin was $63,000 and a user entered $62,000 as the open price and $64,000 as the stop-loss, the order would be filled when the price fell to $62,000.
- However, the price would immediately be below the stop-loss, triggering an automatic exit.
- The stop-loss set by the user would be recorded as the current price, resulting in a $2,000 profit, even though the correct profit should have been approximately $0.
- This exploit could have allowed an attacker to profit from every trade and eventually drain the protocol of all its funds.
Although the protocol contained a check to prevent this exploit, Zellic discovered that it could be bypassed if the user entered an extremely high open price.
An attacker could place an order to buy a token at an arbitrarily high price, set a stop-loss just below it, and then execute their own order, causing the openPrice to change to the current price after the trade’s price impact is taken into account.
The trade would then execute and become open, allowing the attacker to close it by executing the stop-loss and profiting from the difference between the closing price and the price of the stop-loss. This exploit could have resulted in a 900% profit for the attacker.
The second bug, found in a previous version of Gains Network but later patched, allowed traders to profit 900% on sell orders by entering a specific value (2^256-1) as the take-profit or stop-loss.
This value, the maximum for positive numbers in Ethereum, would cause an overflow in the profit calculation. As long as the attacker used leverage greater than 9x, they could profit 900% from this exploit.
Zellic informed the developers of Gains forks Gambit Trade, Holdstation Exchange, and Krav Trade about these vulnerabilities, and these teams have ensured their protocols are not affected.
However, the security firm warned that other Gains forks might still contain these bugs, putting users’ funds at risk of being drained.
In a separate incident, a trader front-ran Gains Network’s listing on Binance, buying $208,000 worth of GNS tokens less than 30 minutes before the listing and making a profit of $106,000.
This incident highlights the potential for insider trading and front-running in the cryptocurrency market, particularly when it comes to exchange listings.