Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Orders Can Be Executed After Vault State Changes

daniel526

The afterOrderExecution function in GmxProxy processes GMX order executions without verifying if the order is still valid according to the perpetual vault’s latest state. This creates a scenario where outdated orders, submitted earlier but executed later by GMX, can modify the vault’s position even after it has changed due to manual adjustments or liquidations. The issue arises because afterOrderExecution directly interacts with the vault without checking if the position or strategy has changed since order submission:

function afterOrderExecution(

bytes32 requestKey,

Order.Props memory order,

EventLogData memory eventData

) external override validCallback(requestKey, order) {

bytes32 positionKey = keccak256(

abi.encode(

address(this),

order.addresses.market,

order.addresses.initialCollateralToken,

order.flags.isLong

)

);

MarketPrices memory prices = getMarketPrices(order.addresses.market);

// @audit No validation on whether the position is still valid for execution

IGmxProxy.OrderResultData memory orderResultData = IGmxProxy.OrderResultData(

order.numbers.orderType,

order.flags.isLong,

order.numbers.sizeDeltaUsd,

outputToken,

outputAmount,

queue.isSettle

);

IPerpetualVault(perpVault).afterOrderExecution(requestKey, positionKey, orderResultData, prices);

delete queue;

}

Since there is no vault-side validation, this function can apply an order to a position that has already been closed or changed, leading to unexpected re-opening of positions, unintended leverage modifications, or risk exposure mismatches.

Impact:

The primary impact is that an outdated or unintended GMX order can execute and alter the perpetual vault’s position, potentially reopening closed positions, increasing leverage beyond intended limits, or interfering with liquidations, leading to financial loss and strategy inconsistency.

Mitigation:

Before executing an order in afterOrderExecution, the contract should validate whether the perpetual vault’s position still matches the expected state of the order, ensuring that the order is still relevant and not stale.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.