Gains Network Trading Protocol's Bugs Could Have Allowed 900% Profit on Trades
Summary:
Two significant vulnerabilities in a Gains Network trading protocol could have allowed traders to gain a 900% profit on every transaction, regardless of token price. One bug was fixed in a previous Gains version, while the other was only found in a derivative protocol. Blockchain security firm Zellic alerted the development teams beneath Gains derivatives like Gambit Trade, Holdstation Exchange, and Krav Trade, ensuring the bugs don't exist in their protocols. However, other derivatives might still be susceptible. Gains Network, a decentralized finance (DeFi) platform, has processed over $25 billion in derivatives since May 2023 through its trading app, gTrade.
Two distinct flaws in a derivative of Gains Network's trading software could have let users accumulate a 900% gain on each transaction, irrespective of the traded token's price, according to a report dated April 19 by blockchain security organization Zellic. The first glitch had been identified and rectified in an older Gains version, while the second had only been discerned in a derivative of the software. Zellic revealed that they had notified the development teams beneath Gains derivatives Gambit Trade, Holdstation Exchange, and Krav Trade, who have subsequently confirmed that these bugs are absent from their protocols. Nonetheless, other Gains derivatives might still be susceptible, Zellic cautioned.
Gains Network, as per its website, functions as a decentralized finance (DeFi) platform on Polygon and Arbitrum and its trading app is officially known as "gTrade," which has processed over $25 billion in derivatives since its launch in May 2023, as reported by the blockchain analytics company, DefiLlama.
Notable DeFi trading apps such as Gambit Trade and Holdstation are known to have been spawned from Gains Network's primary code. During the analysis of one such derivative, Zellic identified the vulnerability but declined to specify which derivative it was.
Gains Network software allows users to set up market, reversal, or momentum trading orders. A market order allows immediate buying or selling of an asset at any price. In the case of momentum or reversal trade, the smart contract records an "order" defining the price at which the user is ready to trade. Once this desired price is hit, any user has the ability to invoke the executeLimitOrder function to complete the order. The executor of this function doesn’t have to be the placer of the order and is compensated with a marginal "execution fee" for carrying out the task.
Zellic identified that in the investigated Gains derivative, a user could manipulate the stop-loss price into the "currentPrice" variable utilized to measure profit and loss at the time of order placement. This means that if a user could set the stop-loss price above the open price, they could potentially gain from any trade.
In a hypothetical scenario wherein Bitcoin was priced at $63,000 and the user places an order at $62,000 with a stop-loss limit of $64,000, if the price were to drop to $62,000, the order would be filled. The price would then fall beneath its stop-loss, prompting an automatic exit.
The trading platform was designed to prevent this sort of assault through an "incorrect_sl" error which would flag any user attempting to place their stop-loss higher than their open price on a buy order.
However, Zellic determined that even this safety checkpoint could be evaded. A user could alter the “openPrice” by giving in an extremely high open price upfront, which could then be exploited by the executor to drop the open price and fill the order. In simpler terms, using this glitch, a user could gain a 900% profit off every trade, thereby draining the entire protocol.
The second glitch allowed traders to profit 900% on sell orders irrespective of market fluctuations. These errors were reportedly communicated to all the involved protocols by Zellic, but they also warned that some forks might still contain these vulnerabilities, thereby risking user funds.
Although Cointelegraph reached out to Gains Network, Gambit Trade, Holdstation Exchange, and Krav Trade for comments, there was no response before the article was published. Even though Gains Network advertises that it offers the 'real spot price' of listed assets, these vulnerabilities have raised significant concerns among its user base.
Published At
5/9/2024 11:31:14 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.