Liquidity Management

Summary

The settle function in GmxProxy creates a MarketDecrease order but sets swapPath to an empty array instead of using orderData.swapPath. This could result in unintended behavior if the correct swap path is required for token conversion.

Vulnerability Details

1. Incorrect Swap Path Handling

   • When creating a MarketDecrease order, the function ignores the swapPath provided in orderData and instead uses an empty array.

   • This means that no token swapping will occur, potentially causing unexpected results if the order logic relies on it.

2. Potential Impact on Position Closing

   • If the settle function is called to reduce a position, it may involve a swap from one token to another.

   • By not using orderData.swapPath, the order may settle using incorrect or suboptimal pricing, resulting in:

     • Loss of value due to incorrect asset conversion.

     • Unintended settlement behavior if token conversion is required but does not occur.

3. Mismatch Between createOrder and settle Logic

   • In the createOrder function, the swapPath is correctly extracted from orderData.

   • In settle, this logic is missing, creating an inconsistency in how orders are processed.

Impact

• Incorrect position settlement if token swaps are needed but do not happen.

• Potential financial loss due to settlement being done in an unexpected asset.

• Inconsistent behavior between order creation and settlement.

Tools Used

• Manual Code Review

• Business Logic Analysis

Recommendations

• Ensure that the correct swap path is used when executing the settlement order.

• If swapPath is mandatory for certain tokens, setting it to an empty array could cause unexpected failures.