GMX V1 Bug Disclosure.
Morphex contributors discovered a bug in the forked GMX V1 contracts and were awarded a bug bounty for their findings.
On December 4th, 2023, Morphex contributors were made aware of a bug in the forked GMX V1 contracts by a user who had reached out after losing all their position’s profit when their trigger order was executed on BNB Chain. After thoroughly investigating, we arrived at the following summary.
When a non-protocol-owned keeper or user executes user orders in the current version of GMX V1’s OrderBook contract (available to anyone to call), the order will be executed at the maxMarginFeeBasisPoints, this can lead to the user being charged a higher fee depending on the configuration of maxMarginFeeBasisPoints.
Any such user/keeper would not have any incentive to do so besides the gas fee, but this could nonetheless be done intentionally to create an overcharging issue for users with trigger orders. In our case, an MEV bot on BNB Chain had executed the user’s order before the Morphex keeper could: https://bscscan.com/tx/0x00f146a3ab446b2a95bff4aea6fcfb18783ff7a933c65f8e21b88efbe6e2eac7
To resolve this bug, the OrderBook contract can be redeployed with a whitelist for who can execute orders.
After identifying the issue, Morphex contributors submitted a bug bounty and reached out to GMX as this was within the bug bounty scope of the GMX V1 Arbitrum and Avalanche contracts (though the issue is not directly replicable by MEV bots, due to the absence of a mempool on both chains).
Within the same day, both sides were able to confirm the bug’s presence and the recommended way to fix it. The decision was made by GMX and Morphex that until OrderBook redeployment, monitoring should be implemented to see if any other such occurrences are happening, and if so, to reimburse the overcharged users upon collecting and distributing the weekly revenue.
Once the bug had been confirmed as medium-level in ImmuneFi by GMX, a bug bounty of $10,000 in USDC was paid out to the Morphex contributors for their efforts in identifying this bug.
At GMX, we tremendously value feedback from community builders. The Morphex team adeptly identified an issue affecting their forked version of the GMX v1 contracts on BNB chain, and directly reached out to GMX’s contributors.
This particular edge case on the GMX v1 contracts is not economically exploitable, and no GMX users were ever affected.
We would like to sincerely thank Morphex for following the reporting process via bug bounty platform ImmuneFi, which was set up to address issues like this. Their collegial approach in this matter is highly appreciated.
— Jonezee, GMX Communications
