Two different vulnerabilities in a fork of the Gains Network leveraged trading protocol have been discovered, which could have allowed traders to make a 900% profit on every trade, regardless of the token’s price, according to a report from blockchain security firm Zellic. One of the bugs existed in a previous version of Gains but was later fixed, while the other was only found in a fork of the protocol.
Zellic has informed the developers of Gains forks Gambit Trade, Holdstation Exchange, and Krav Trade about the vulnerabilities, and these teams have ensured that their protocols do not have these flaws. However, Zellic has warned that other Gains forks may still be vulnerable.
Gains Network is an ecosystem of decentralized finance (DeFi) products on Polygon and Arbitrum, and its leveraged trading app is called “gTrade.” According to DefiLlama, the platform has facilitated over $25 billion in derivatives volume since its launch in May 2023.
Zellic has discovered that several popular DeFi trading apps are derived from Gains Network’s base code, including Gambit Trade and Holdstation, among others. While studying a specific fork, Zellic found the exploit but did not disclose which one it was.
According to the report, Gains Network contracts allow users to open market, reversal, or momentum trade orders. A market order immediately buys or sells an asset regardless of price. When a user requests to open a momentum or reversal trade, the smart contract records an “order” with data about the desired trade price. Any user can then execute the order once that price is reached. The user who executes the order does not have to be the one who placed it. Users who execute the order receive a small fee for their role.
This enables users to place limit and stop-limit orders similar to centralized exchanges without needing a centralized entity to perform the order fills. Users can set take-profit and stop-loss prices when placing an order to automatically exit profitable or losing trades.
In the studied Gains fork, Zellic found that if the stop-loss price was set above the open price, the stop-loss price would be stored as the “currentPrice” variable used to calculate profit and loss. This allowed users to automatically profit from any trade if they set their stop-loss price higher than the open price.
To prevent this exploit, the protocol included a check that would throw an error if the stop-loss was set higher than the open price on a buy order. However, Zellic discovered that this check could be bypassed in certain circumstances.
When a user opens an order, they set the desired open price, which is recorded as the “openPrice” variable. The check is performed at this point. However, the function used to execute the order changes the “openPrice” variable to the current price plus the price impact from the order. This allowed an executor to bypass the check by executing the order and filling it at a lower open price.
Zellic provided an example of an attacker placing an order to buy a token at an extremely high open price and setting a stop-loss slightly below it. By executing their own order, the attacker could change the open price to the current price and then execute the stop-loss, resulting in a 900% profit for the attacker.
This bug was only present in the forked version of Gains being studied and not in the original Gains Network. However, during the investigation, Zellic discovered a second bug that existed in an earlier version of Gains.
The second bug allowed traders to profit 900% on sell orders regardless of price action. When a trade was closed, the stop-loss or take-profit point was converted into a variable called “int” for calculating profit in percentage terms. However, if a user entered a stop-loss or take-profit value equal to 2^256-1, the calculations would cause “int” to become negative. This was because values above 2^256-1 overflowed in Ethereum, starting over at zero.
Zellic noted that as long as an attacker used leverage greater than 9x, they could exploit this bug to profit 900%.
The check preventing 2^256-1 from being entered as a take-profit was only performed when the order was first opened, allowing users to bypass the check by changing the take-profit point after the order was opened.
Zellic has informed the relevant forks about these security flaws and has contacted the Crypto Security Alliance to identify other affected protocols. However, it cautioned that some Gains forks may still have these bugs, posing a risk to users’ funds.
Cointelegraph reached out to Gains Network, Gambit Trade, Holdstation Exchange, and Krav Trade for comment but did not receive a response at the time of publication.
Gains Network claims to provide the “real spot price” of listed assets and offers superior forex trading compared to competitors.