According to PANews, a report released by blockchain security company Zellic on April 19th revealed two distinct vulnerabilities in the gTrade protocol of Gains Network. These vulnerabilities could have allowed traders to profit by 900% on each trade, regardless of the price of the traded token. One of the vulnerabilities was found in an early version of Gains but has since been fixed. The other vulnerability was only discovered in a fork of the protocol.

In its research, Zellic found that one of the vulnerabilities in the Gains fork allowed attackers to profit by setting an extremely high opening price and a slightly lower stop-loss price. When the attacker placed an order far above the actual price and set a stop-loss close to this price, the system would mistakenly take the current price (affected by the order) as the opening price, causing the stop-loss condition to trigger quickly. At this point, the attacker could execute the stop-loss operation and gain up to 900% illegal profit from an originally almost zero profit margin, posing a serious threat to the protocol's fund security.

The second vulnerability discovered by Zellic allowed traders to gain abnormally high profits on sell orders through specific operations. When the trader's set take-profit or stop-loss point was exactly the maximum value of the uint256 type in Ethereum (i.e., 2^256-1), due to numerical overflow, the system would incorrectly calculate the profit, allowing the trader to gain up to 900% profit regardless of the actual trading situation. This second vulnerability did indeed exist in an early version of Gains but has since been fixed. The current version does not contain this vulnerability as it checks when updating and initially setting the take-profit and stop-loss points.

Zellic stated that its staff had informed the developers of Gains' fork projects Gambit Trade, Holdstation Exchange, and Krav Trade of these vulnerabilities, and these development teams have ensured that these two vulnerabilities do not exist in their protocols. However, Zellic warned that other forks of Gains may still have vulnerabilities. Zellic claimed that several popular DeFi trading applications are derived from the basic code of Gains Network, including the aforementioned Gambit Trade and Holdstation, as well as many other protocols. They discovered this vulnerability while researching a specific fork but refused to disclose which fork it was found in. Zellic has informed all the aforementioned fork versions of the two security vulnerabilities and has contacted the Crypto Security Alliance to find other protocols that may be affected by these vulnerabilities.