Liquidity Management

Summary

The run function in the PerpetualVault contract does not include the gmxLock modifier, while the runNextAction function does. This inconsistency may lead to state corruption or unexpected execution issues when interacting with GMX.

Vulnerability Details

The gmxLock modifier is designed to prevent concurrent execution of GMX-related actions, ensuring that a new action cannot be started until the previous one has been fully processed, including the callback. The runNextAction function correctly implements this mechanism, but the run function does not. This omission means that it is possible to execute multiple GMX-related actions simultaneously, which could result in unexpected behavior.

Without the gmxLock modifier, a new GMX order could be submitted before the previous one is completed. This creates a risk of race conditions where the contract's state is modified in an unintended sequence. Additionally, if GMX relies on callbacks to complete certain actions, executing multiple transactions without enforcing a lock could lead to data corruption or unintentional position management.

Impact

The absence of gmxLock in run may cause state inconsistencies, unexpected execution of orders, or potential manipulation of position states. If multiple GMX orders are processed simultaneously without proper locking, the contract may behave unpredictably, leading to incorrect position calculations or financial loss.

Tools Used

• Manual Code Review

Recommendations

Add the gmxLock modifier to the run function to ensure that only one GMX-related action is in progress at a time. This will help prevent race conditions and ensure that the state is updated in a controlled manner. Additionally, consider enforcing checks to ensure that no GMX-related actions can be executed while _gmxLock is set.