Order Queue Overwriting Leads to Incorrect Execution Tracking and Potential Loss of Funds
The GmxProxy contract incorrectly tracks only a single active order using the queue struct, which contains requestKey (identifying the order) and isSettle (indicating settlement status). When multiple orders are created in quick succession, each new order overwrites the previous queue.requestKey, leading to incorrect execution tracking. Specifically, if a vault submits an order via createOrder() and then submits a settle() order before the first order executes, the first order's key is lost because queue.requestKey = requestKey; is overwritten in both functions. Later, when afterOrderExecution() is triggered by GMX for the first order, the contract references the *wrong order key, potentially misallocating funds or failing to execute settlements correctly. The bug stems from using a single-slot storage variable instead of handling multiple simultaneous orders, as seen in this flawed implementation:
When GMX calls afterOrderExecution(), the contract processes the wrong requestKey, leading to incorrect fund transfers or failed liquidation tracking.
impact:
Loss of funds or incorrect execution tracking due to overwritten order keys, leading to misallocated settlement funds and potential vault liquidation failures.
Mitigation:
Use a mapping (mapping(bytes32 => OrderQueue)) to track multiple active orders instead of a single struct, ensuring each order is handled individually and safely deleted upon execution.
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
invalid_queue_requestKey_overwrite
Order is proceed one by one and requestKey is only used to cancelOrder. I didn’t see any real scenario where it will cause a problem. Flow and gmxLock will prevent that to happen.
Appeal created
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
invalid_queue_requestKey_overwrite
Order is proceed one by one and requestKey is only used to cancelOrder. I didn’t see any real scenario where it will cause a problem. Flow and gmxLock will prevent that to happen.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.