Missing GMX Lock Check in GMXProxy.cancelOrder
Summary
The cancelOrder() function in GmxProxy.sol lacks a check to ensure that there is no active GMX action before allowing order cancellations. This will lead to valid GMX orders being incorrectly canceled while a GMX action is still in progress.
2025-02-gamma/contracts/GmxProxy.sol at main · CodeHawks-Contests/2025-02-gamma
Vulnerability Details
In PerpetualVault.sol2025-02-gamma/contracts/PerpetualVault.sol at main · CodeHawks-Contests/2025-02-gamma ,
the cancelOrder() function correctly checks _gmxLock == false before allowing a cancel request.
However, GmxProxy.cancelOrder() this function can be called externally by the perpVault, and it does not check _gmxLock, meaning it can cancel an order while a GMX action is still in progress (from GMX call initiation to GMX callback).
If there is infact an ongoing GMX action, canceling an order at this stage will result in valid order cancellations, which leads to loss of funds for users.
2025-02-gamma/contracts/GmxProxy.sol at main · CodeHawks-Contests/2025-02-gamma
Impact
Valid GMX Orders will Be Canceled Prematurely
Race Conditions & Unexpected State Changes
If
_gmxLockis true, another function could still be modifying or interacting with GMX at the same time.Cancelling the order in this state would lead to fund loss and result in unintended cancellations.
Tools Used
Recommendations
Modify cancelOrder() in GMXProxy.sol to include a _gmxLock check.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.