A series of critical bugs in the Gains Network trading protocol and its forks could have allowed traders to profit 900% on every trade, regardless of the token’s price movement, according to a report by blockchain security firm Zellic.
The vulnerabilities, which have since been patched in some instances, highlight the importance of rigorous security audits in the decentralized finance (DeFi) space.
TLDR
- A bug in a forked version of the Gains Network trading protocol allowed traders to profit 900% on every trade, regardless of the token’s price.
- The bug involved setting an arbitrarily high stop-loss price, causing the protocol to record an inflated profit for the trader.
- Another bug in a previous version of Gains Network itself enabled traders to profit 900% on sell orders by exploiting an integer overflow issue.
- Blockchain security firm Zellic discovered these vulnerabilities and alerted the teams behind Gambit Trade, Holdstation Exchange, and Krav Trade, who have patched their protocols.
- Zellic warned that other Gains Network forks might still be vulnerable to these exploits, putting users’ funds at risk.
Gains Network is an ecosystem of DeFi products on the Polygon and Arbitrum networks, with its flagship offering being the gTrade leveraged trading application.
Since its inception in May 2023, gTrade has facilitated over $25 billion in derivatives trading volume, according to data from DeFi Llama.
Zellic’s investigation focused on a fork of the Gains Network protocol, which several popular DeFi trading applications are derived from, including Gambit Trade, Holdstation Exchange, and Krav Trade.
The researchers discovered that a bug in this forked version allowed traders to set an arbitrarily high stop-loss price, causing the protocol to record an inflated profit for the trader.
Here’s how the exploit worked: When a user placed a trade order, the stop-loss price was stored in the protocol’s “currentPrice” variable, which is used to calculate profit and loss.
If a trader set their stop-loss price above the open price, they could automatically profit from the trade, regardless of the token’s actual price movement.
For example, let’s assume the price of Bitcoin was $60,000, and a trader entered $59,000 as their open price and $61,000 as their stop-loss. If the price fell to $59,000, the trade would be opened, but the protocol would immediately register the price as below the trader’s stop-loss, triggering an automatic exit.
Under normal circumstances, this should result in no profit for the trader. However, since the stop-loss price of $61,000 was set as the “currentPrice,” the system would record a $2,000 profit for the user.
By conducting enough trades with sufficiently high stop-loss prices, an attacker could have entirely drained the protocol of its funds, Zellic warned.
While the protocol included a check to prevent traders from setting their stop-loss above their buy-order open price, the researchers found a way to bypass this check in certain circumstances, allowing the exploit to proceed.
In addition to the bug in the Gains Network fork, Zellic also uncovered a separate vulnerability in a previous version of the official Gains protocol itself. This bug allowed traders to profit 900% on sell orders by exploiting an integer overflow issue.
When a trade was closed, the protocol converted the user’s stop-loss or take-profit point into a variable called “int,” which it then used to calculate profit in percentage terms.
However, if a user entered a stop-loss or take-profit value that was exactly 2^256-1 (the maximum value for positive numbers in Ethereum), the resulting calculations would cause “int” to become negative, leading to an inflated profit calculation.
According to Zellic, as long as an attacker used leverage greater than 9x, they could profit 900% from this exploit on sell orders.
While Gains Network had implemented a check to prevent users from entering 2^256-1 as a take-profit value when opening an order, the researchers found that this check could be bypassed by changing the take-profit point after the order was opened.
Zellic informed the teams behind Gambit Trade, Holdstation Exchange, and Krav Trade about these vulnerabilities, and these projects have confirmed that their protocols are no longer vulnerable.
