Gamma Strategies Deposit Price Check
Gamma Strategies on Arbitrum lost $6.1M after a weak deposit-proxy price check let a flash-loan attacker deposit at a skewed ratio and withdraw outsized value.
- Date
- Victim
- Gamma Strategies
- Chain(s)
- Status
- Partially Recovered
On January 4, 2024, the active-liquidity-management protocol Gamma Strategies lost approximately $6.1 million on Arbitrum. A weak price-deviation safeguard in the deposit proxy failed to prevent a flash-loan attacker from manipulating the underlying pool and depositing at a skewed ratio, then withdrawing disproportionate value.
What happened
Gamma's deposit proxy had a price-deviation check intended to reject deposits when the pool price was far from a reference. The check's bounds were too loose to prevent flash-loan manipulation. The attacker flash-borrowed, skewed the pool within the (inadequate) tolerance, deposited at the manipulated ratio for inflated LP shares, and redeemed for ~$6.1M of real assets.
Aftermath
- Gamma paused deposits and tightened the deviation parameters.
- A portion was recovered/negotiated; the protocol continued with hardened checks.
Why it matters
Gamma Strategies is a precise illustration that a safeguard with the wrong parameters is not a safeguard. Gamma had a price-deviation check — it simply had bounds wide enough to drive a flash loan through. This is the parametric cousin of the catalogue's recurring "the check was present but didn't fire" theme (Gym Network, KiloEX). The defensive lesson: deviation/slippage bounds must be set against worst-case adversarial manipulation, not against normal market noise — and that calibration should be tested with flash-loan simulations, not assumed.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-gamma-strategies-hack-january-2024
- [02]defiteller.comhttps://defiteller.com/gamma-strategies-2024-ethereum-hack-analysis
- [03]rekt.newshttps://rekt.news/gamma-strategies-rekt