Unaddressed nextAction state after Signal_CHANGE cancellation
Title
Unaddressed nextAction state after Signal_CHANGE cancellation
Summary
When a decrease order fails during position closure and reopening, the nextAction isn't reset. This violates the system's invariant that expects nextAction to be empty after all actions are completed.
Vulnerability Details
A leveraged position on GMX is being closed and a new one opened.
The keeper triggers the
run()function, leading to theelseblock at lines 314-325:nextAction.selector = NextActionSelector.INCREASE_ACTION;nextAction.data = abi.encode(isLong);This schedules the next action as
INCREASE_ACTION.During
_createDecreasePosition(), a MarketDecrease order is created, but it fails on GMX.The keeper cancels the order, triggering
afterOrderCancellation(), which resetsflowandflowDatabut doesn't clearnextAction.
Impact
The nextAction remains set to INCREASE_ACTION, breaking the invariant that it should be empty after all actions.
Tools Used
Manual Review
Recommendations
Modify the afterOrderCancellation() function to reset nextAction when flow is SIGNAL_CHANGE.
Lead Judging Commences
invalid_afterOrderCancellation_do_not_reset_nextAction
Normal behavior, the keeper will retry to increase the position. That’s why there is this condition in `_createIncreasePosition`: ``` if (flow == FLOW.DEPOSIT) { amountIn = depositInfo[counter].amount; flowData = vaultReader.getPositionSizeInTokens(curPositionKey); } else { amountIn = collateralToken.balanceOf(address(this)); } ```
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.