Liquidity Management

Summary

By creating an order that gets frozen, an attacker can DOS the entire protocol.

Vulnerability Details

This is how the attacker would DOS the protocol:

1) Create a faulty order and make sure it gets frozen. When creating this order, the gmxLock will be set to true. This order should not be erroneous with any of the following errors inside of the GMX protocol.

2) When the OrderHandler tries to execute the order, it triggers the _handleOrderError().

3) Since it relates to another error than the above ones, OrderUtils.freezeOrder()will get called, which in turn calls the hook afterOrderFrozen()in the GmxProxy of the Gamma Protocol.

4) The afterOrderFrozen() hook in GmxProxy is empty, which means that the _gmxLockwill not be disabled.

5) Since there's no current way to unlock _gmxLock, the protocol stays locked and essentially unusable.

It's worth mentioning that Gamma mentions a situation where an order might be frozen that doesn't apply to them (e.g., a limit order that can be set with a greater size than the available amount in the pool). However, as seen in the GMX @dev documentation:

// freeze unfulfillable orders to prevent the order system from being gamed
// an example of gaming would be if a user creates a limit order
// with size greater than the available amount in the pool
// the user waits for their limit price to be hit, and if price
// moves in their favour after, they can deposit into the pool
// to allow the order to be executed then close the order for a profit

Impact

Severity: High, Likelihood: Medium.

Tools Used

Manual Review.

Recommendations

Add an additional function to manually set the _gmxLock() in case of unexpected frozen orders.