A recent report from blockchain security firm Zellic revealed that two bugs in a fork of the Gains Network leveraged trading protocol could have allowed traders to make a 900% profit on every trade, regardless of the token’s price. One of the bugs had already been patched in a previous version of Gains, while the other was found exclusively in the forked version of the protocol.
Zellic notified the developers of Gains forks Gambit Trade, Holdstation Exchange, and Krav Trade about the vulnerability, and these teams have since ensured that their protocols are not affected by these flaws. However, Zellic cautioned that other Gains forks may still be vulnerable.
The Gains Network is an ecosystem of decentralized finance (DeFi) products on Polygon and Arbitrum. Its leveraged trading app, known as “gTrade,” has facilitated over $25 billion in derivatives volume since its launch in May 2023.
Zellic discovered that several popular DeFi trading apps are derived from Gains Network’s base code, including Gambit Trade and Holdstation, among others. While Zellic did not disclose the specific fork where the exploit was found, it did highlight the presence of the exploit during its investigation.
The report explained that Gains Network contracts allow users to open market, reversal, or momentum trade orders. A market order involves immediate buying or selling of an asset at any price. Momentum and reversal orders are executed when the price reaches a specified level set by the user.
The bug in the Gains fork allowed users to profit from buy orders by manipulating the stop-loss price. By setting the stop-loss above the open price, users could automatically profit from any trade. The protocol had a check in place to prevent this exploit, but Zellic discovered that it could be bypassed in certain circumstances.
The second bug allowed traders to profit from sell orders regardless of price action. When a trade was closed, the protocol converted the user’s stop-loss or take-profit point into a variable. If a user entered a value that was exactly 2^256-1, the calculations would cause the variable to become negative, resulting in a 900% profit. Although this flaw existed in a previous version of Gains, it has since been patched.
Zellic has informed the relevant forks about these security flaws and has reached out to the Crypto Security Alliance to identify other potentially affected protocols. However, it cautioned that some Gains forks may still contain these bugs, posing a risk to users’ funds.
Cointelegraph reached out to Gains Network, Gambit Trade, Holdstation Exchange, and Krav Trade for comment but did not receive a response at the time of publication.
Gains Network claims to provide the “real spot price” of listed assets and offers superior forex trading compared to its competitors.