Two different bugs in a fork of the Gains Network leveraged trading protocol could have allowed traders to profit 900% on every trade, regardless of the price of the token traded, according to an April 19 report from blockchain security firm Zellic. One of the bugs existed in a previous version of Gains but was later patched. The other was only found in a fork of the protocol. According to Zellic, its staff informed the developers of Gains forks Gambit Trade, Holdstation Exchange, and Krav Trade of the vulnerability, and these development teams have ensured their protocols do not contain such two flaws. However, other Gains forks may still be vulnerable, Zellic warned.
According to its official website, Gains Network is an ecosystem of decentralized finance (DeFi) products on Polygon and Arbitrum. The official name for its leveraged trading app is “gTrade.” It has facilitated over $25 billion in derivatives volume since its inception in May 2023, according to blockchain analytics platform DefiLlama.
Zellic claimed that several popular DeFi trading apps are derived from Gains Network’s base code, including the aforementioned Gambit Trade and Holdstation, as well as many other protocols. They discovered the exploit while studying a particular fork but declined to name which one they discovered it in.
According to the report, Gains Network contracts allow users to open either a market, reversal or momentum trade order. A market order buys or sells an asset immediately, regardless of price.