Welcome back to Sherlock’s Vulnerability Spotlight, where we highlight an impactful vulnerability uncovered during a Sherlock audit. This week, we examine a denial-of-service found in the @GMX_IO contest by @0xdeadbeef____ and @IllIllI000. Credit to @int0x1catedCode for the breakdown.

Summary of the Vulnerability: The vulnerability allows an attacker to manipulate order execution flow by providing fake revert reason lengths that don't match the actual data. This causes the protocol's error handling to read incorrect memory regions, potentially disrupting the execution process or causing unexpected behavior when processing failed orders.

Attack Steps: 1. Setup Phase Deploy a malicious contract that implements custom revert behavior The malicious contract should be invokable by the target protocol (e.g., as callback handler). 2. Craft Malicious Revert Data Structure revert data with a falsified length parameter. 3. Execute Order Through Protocol Create an order that will trigger interaction with the malicious contract When the protocol processes the order and calls the malicious contract, it reverts with the crafted data. The protocol's error handling attempts to decode the revert reason using the fake length. 4. Trigger Memory Read Overflow The protocol reads memory based on the fake length parameter This causes it to read beyond the actual revert data boundaries.

What's the Impact? Denial of Service: Orders can fail to execute properly, blocking legitimate protocol operations like liquidation of bad positions Order execution disruption: Batch order processing can be halted, affecting multiple users Gas griefing: Processing malformed revert data can consume excessive gas

The Root Cause: 1. Unchecked length parameters: The protocol trusts the length value provided in revert data without validation 2. Missing boundary checks: No verification that the claimed length matches the actual data size

The Mitigation: 1. Always validate Revert Data Length 2. Implement Maximum Length Limits

We are proud to have helped secure @GMX_IO through this discovery. When it absolutely needs to be secure, Sherlock is the right choice.