0xAlpha

Untitled

TL; DR:

The devil in the details: GMX’s keeper

The recent manipulation attack on GMX brought our attention to GMX's keeper mechanism. However, the vulnerability to external manipulation is not the real problem. While external manipulation is a harnessable issue, the real problem for the keeper is that there is no way to avoid internal manipulation (or even detect it).

Trading on GMX is a 2-step procedure:

  1. You place the order. In this step, in addition to the regular transaction fees, you pay an extra amount of ETH/AVAX (called "Execution Fee") for the keeper to execute your trade.
  2. The "keeper" executes your order with a so-called "oracle price", which is solely determined by the keeper.

Here is the devil in the details: this keeper is not of any on-chain or transparent mechanism. Instead, it's a procedure signed by a GMX-owned address and running on GMX's own centralized server. And the keeper's core role is not just to execute the orders, but also to decide the trading prices. Within the very weak constraint, the keeper can just execute your trade with whatever price it chooses. And even this weak constraint (the deviation from the ChainLink price bigger than 2.5% will trigger a "bid-ask-spread") would only make the price worse for the traders.

Simply speaking, the price of every trade is decided by the keeper, AFTER the trader places the order.

How to be evil with this?

Simple and easy!

Since the trading price of every single trade is totally up to the keeper, the person running the keeper can do whatever they want, e.g. feeding prices in favor of, or against the interest of, traders at its will. It's very convenient to steal money from every trade by feeding bad prices for the trade (higher prices for long trades or lower prices for short ones)

And this can be done in a very secret way: the keeper only needs to make the price slightly worse (e.g. 0.1% higher or lower) than the fair value so that it's very hard to notice. Then a significant amount of value (0.1% of the trading volume) would be stolen from the trading.

You might think such stealing is in LP's favor. It is true in this particular case. But with such absolute power, it is just as easy to steal from the LPs. The keeper just needs to feed its affiliate account with prices better than fair (lower price for long trades or higher price for short trades) to transfer benefits into this account. This is very easy to understand: if the external manipulator in the attack can benefit their account by manipulating the price source, it is only more straightforward for the keeper to benefit a specific account by manipulating the price directly. The only difference is that the former comes at the cost of moving the prices on the reference exchange (i.e. Binance), whereas the latter has 0 costs. And again, this can be done in a very hidden way by keeping the intentional deviation small enough to avoid any attention while still profitable.

This trading mechanism is so untransparent that it is even easier to be evil than any orderbook-based centralized exchanges (including those mean-to-be-evil ones). For the latter, you have a reasonably clear expectation for your trading price in advance by looking at the quotes on the orderbook. If the quotes are not fair, you can choose not to trade. In contrast, on GMX, the trades are entirely in the keeper’s hands.

OK, but they haven't been evil yet, have they?