A fork of the Gains Network – an ecosystem of DeFi products on Polygon and Arbitrum – was allowing traders to claim 10X gains on every trade, no matter the price of their tokens traded, according to blockchain security experts.
Gains Network holds a total value locked (TVL) of $20.29 million, according to DeFi Llama. Since its inception in May 2023, it’s handled $25 billion in derivatives trading volume.
An April 19 report from Zellic highlighted how one bug impacting a fork of the protocol allowed an attacker to place an arbitrarily high buy limit order and win every trade automatically.
Here’s how it worked: when an order was opened, the stop-loss price was stored in the protocol’s “currentPrice” variable, which calculates profit and loss. As such, if users set their stop/loss price above the open price, they could freely profit from the trade, without risk.
For example, assume Bitcoin’s price was $60,000, and the trader entered $59,000 as their open price, and $61,000 as their stop/loss. If the price fell to $59,000, the trade would be opened, but the price would immediately be below the trader’s stop-loss, triggering an immediate exit.
Under normal circumstances, this should result in exactly $0 in profit for the trader. However, since the stop-loss price of $61,000 was set as the protocol’s “current price”, the system record $2000 in profit for the user.
If an attacker did enough trades of the like with high enough stop/loss numbers, he could entirely drain the protocol of its funds. While the protocol did contain a check to stop those trying to set their stop-loss above their buy-order open price, other exploits were found allowing attackers to bypass the check.
Using certain figures, Zellic said traders could have
Read more on cryptonews.com