Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

_gmxLock is not properly reset in afterLiquidationExecution function

bear

Summary

In the afterLiquidationExecution function, the critical state variable _gmxLock is not properly reset, leading to permanent locking of core contract functionalities.

Vulnerability Details

The _gmxLock state remains true after processing results (after Handle Liquidation & Auto-Deleveraging (ADL) Order Results).

function afterLiquidationExecution() external {

if (msg.sender != address(gmxProxy)) {

revert Error.InvalidCall();

}

//Lock state not reset

//_gmxLock = false

depositPaused = true;

uint256 sizeInTokens = vaultReader.getPositionSizeInTokens(curPositionKey);

if (sizeInTokens == 0) {

delete curPositionKey;

}

if (flow == FLOW.NONE) {

flow = FLOW.LIQUIDATION;

nextAction.selector = NextActionSelector.FINALIZE;

} else if (flow == FLOW.DEPOSIT) {

flowData = sizeInTokens;

} else if (flow == FLOW.WITHDRAW) {

// restart the withdraw flow even though current step is FINALIZE.

nextAction.selector = NextActionSelector.WITHDRAW_ACTION;

}

Attack Path:

Initiate Order Request
Set _gmxLock = true during order creation.

2.Execute Order Request
Process the requested order transaction.

3.Handle Liquidation & Auto-Deleveraging (ADL) Order Results

The _gmxLock state remains true after processing results (failure to reset).

Contract locking mechanism activates permanently, blocking all _gmxLock-dependent operations (critical functionalities disabled).

Impact

This results in the contract's normal functionality being locked, thereby preventing the execution of subsequent operations

Tools Used

Manual

Recommendations

refer to afterOrderExecution function

set _gmxLock = false;

function afterOrderExecution(

bytes32 requestKey,

bytes32 positionKey,

IGmxProxy.OrderResultData memory orderResultData,

MarketPrices memory prices

) external nonReentrant {

if (msg.sender != address(gmxProxy)) {

revert Error.InvalidCall();

}

// MarketPrices memory marketPrices = gmxProxy.getMarketPrices(market);

>> _gmxLock = false;

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_gmxLock_not_reset_during_liquidation

Likelihood: Medium, every liquidation. Impact: Medium, runNextAction and cancelFlow are not usable before a `withdraw` or a `run`

Appeal created

riceee Auditor

5 months ago

n0kto Lead Judge

5 months ago

n0kto Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.