Event data passed to GmxProxy::afterOrderExecution should be validated before use
Summary
In the GMX README, under Integrations, it states:
Event data may be passed to callback contracts, the ordering of the params in the eventData will be attempted to be unchanged, so params can be accessed by index, for safety the key of the param should still be validated before use to check if it matches the expected value
Vulnerability Details
In GmxProxy::afterOrderExecution, eventData from the GMX protocol is used (tokens and amounts). For instance, outputToken and outputAmount:
If those values are not as expected, it could cause some issues in the protocol
Impact
Transferring one token assuming it was a different one (i.e. transferring index token when it was supposed to transfer collateral tokens)
Tools Used
Manual review
Recommendations
Check the event data is as expected for the different order types
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.