Bugs in Gaines Network Fork Allow Traders to Profit 900% on Every Trade: Report

Bugs in Gaines Network Fork Allow Traders to Profit 900% on Every Trade: Report


Two separate bugs in a fork of the trading protocol used by the Gaines network could have allowed traders to make 900% profits on each trade, regardless of the token's value, according to an April 19 report from blockchain security firm Zelik. One of the bugs was in the previous version of Gaines but it was fixed later. The other was only found in a fork of the protocol.

According to Zelic, his staff notified the developers of GainesForex GambitTrade, HoldStation Exchange and CraveTrade of the vulnerability, and these development teams confirmed that their protocols were free of two such flaws. However, other forks of Gaines may still be vulnerable, Zelik warned.

According to its official website, the Gaines Network is an ecosystem of decentralized finance (DeFi) products based on polygons and arbitrage. The official name for the authorized trading app is “gTrade”. Since its inception in May 2023, it has facilitated more than $25 billion in revenue, according to blockchain analytics platform Defillama.

User interface for gTrade, the trading application used by Gains Network. Source: Gaines Network

Zelic says that several popular DeFi trading apps, including the aforementioned Gambit Trading and HoldStation, are derived from Gains Network's base code. They discovered the exploit while studying a specific fork, but declined to say which one they discovered.

coinbase

According to the report, Gaines Network contracts allow users to open market, reverse or momentum trade orders. A market order buys or sells an asset immediately, regardless of the price.

When a user requests to open a forward or reverse trade, the smart contract records an “order” containing information at what price the user is willing to trade. Once this value is reached, any user can call the executeLimitOrder function to fill the order. The user calling the execution must not be the same as the one issuing the command. Users who call the execution are paid a small “execution fee” for playing this role.

This allows users to place limit (momentum) and stop-limit (reverse) orders in the same way they can on a centralized exchange, but without the need for a central entity to fill the order.

When a user places an order, they can set a take-profit price, a stop-loss price, or both. The purpose of this pattern is to enable traders to directly exit a profitable trade in a profitable position or exit a losing trade in a losing position.

Bug in Gains fork allowed 900% profit on buy orders

In the Gaines Fork he studied, Zelik discovered that when the order is opened, the stop loss price is stored in the “currentPrice” variable to calculate the profit and loss. This means that if a user can set the stop-loss above the open price, they can profit directly from any trade.

For example, consider a situation where the price of Bitcoin (BTC) was $63,000 and the user entered $62,000 as the open price and $64,000 as the stop loss. In this case, if the price drops to $62,000, the order will be filled. But the price will immediately be below the loss, which will lead to an automatic withdrawal.

Additionally, the stop-loss set by the user is recorded as the current price. This means that the user will make a profit of $2,000, even though the actual profit should have been approximately $0. This would have allowed an attacker to profit from each trade and ultimately destroy the currency protocol.

To prevent this exploit, the protocol contains a check that throws an “error_sl” error if the user tries to set their buy order price higher than the open price.

c5dc31be 2e77 41e2 939b f46491e73edf
Gains network fork check to prevent false gain or stop loss. Source: Zelik

However, the investigators discovered that this check can be bypassed under certain circumstances.

When a user first opens an order, they set the price they want to open the trade, and then it is recorded in the variable “openPrice”. The check was done at this time. However, the function used to execute the order changes this variable to the value of “a.Price”, which is the current price and the effect of the price being opened.

This means that if the user enters a value that is too high, the executor can simply execute the order and pass the check. This allowed the executor to fill the order at a lower price than originally set.

For example, Zelich considers an attacker's proposal to buy a token at $100000e10 ($1 quadrillion) and sets a stop loss at $1 less, or $999.9999999999999 trillion. Once the order is placed, the attacker executes his own order, which changes the open price from $100000e10 to any current price after taking into account the price impact of the trade.

After that, the business is up and running. As long as the resulting opening price is below the originally set stop-loss, it can now be closed by executing the stop-loss. When the attacker executes their own stop loss, they profit from the difference between the closing price and the stop-loss price.

The trade would have yielded a 900% profit for the attacker, Zelic said.

beb3bd34 272f 4144 ac2c 99f4fa0a4b1c
An example of a fork exploit. Source: Zelik

This flaw did not exist in Gains Network when the Zelic team discovered it. It was only in the version of the fork I was checking. However, in the course of studying this issue, he encountered a second flaw in Gaines' previous version.

Second bug allowed 900% profit on sell orders

The second bug allowed traders to profit 900% on sell orders regardless of price action.

In Gaines Fork, when a trade is closed, it converts the user's stop or profit point to an “int” variable, and then uses it to calculate the profit percentage. But if a user entered a stop-loss or take-profit value that was exactly 2^256-1, the resulting calculations would cause “int” to be negative.

The reason for this is that 2^256-1 is the maximum value of positive numbers in Ethereum, because any value above it will be “multiplied” or start at zero, and the calculation will increase the total value of the open value. In the Solidity programming language, 2^256-1 is also known as “type(uint256) max”.

According to Zelic, as long as an attacker exploits more than 9x leverage, they can get 900% of this exploit:

“Let's consider a sell order, with current price as type(uint256).max. The resulting difference price will be openPrice + 1 (int(type(uint256)) max) = -1, and thus the profit percentage will be equal to 100*leverage. So if the gain is greater than 9, the function returns 900% of the gain.

2^256-1 was a check in the contract to prevent it from entering for profit. However, this check is performed only when the order is opened. If the user changes their profit points after the order is opened, they can bypass the check and enter 2^256-1 as a withdrawal, allowing them to earn an automatic 900% profit every time they trade.

This second flaw was present in an earlier version of Gaines, but was later fixed. The current version does not contain this flaw, because it performs the check when profit and stop loss are updated, as well as when they are first set.

Zelik informed all of the aforementioned forks about these two security flaws and contacted the Crypto Security Alliance in an attempt to find other protocols that could be affected. However, he warned that some of Gaines' forks may still harbor these bugs, putting users at risk of losing their money.

Cointelegraph contacted Gains Network, Gambit Trade, Holdstation Exchange and Krav Trade for comment but did not receive a response by the time of publication.

Gaines Networks says it provides “true spot value” for listed properties, as opposed to what it sees as minimally accurate values ​​based on perpetual contracts. It also claims to offer superior forex trading compared to its competitors.

Related: Libra-linked Sui blockchain fixes critical bug that puts ‘billions' at risk

Leave a Reply

Pin It on Pinterest