Ineffective Lock Mechanism for Canceling Active Flows
Logic Issue, Flow Control, Denial of Service
Summary
The gmxLock modifier on cancelFlow prevents the function from executing at the precise moment it is required, causing an inability to terminate active flows.
Vulnerability Details
The cancelFlow function is marked with gmxLock, which reverts when _gmxLock == true. The vault sets _gmxLock == true during GMX operations. This setup breaks the intended design, because cancelFlow cannot execute while a flow is active. The contract remains stuck in ongoing operations without a valid way to cancel them.
Impact
Impact: Medium. Ongoing operations remain locked with no mechanism to abort. This design leads to denial of service scenarios.
Likelihood: Low. Flow cancellation is generally an administrative or keeper operation, but it fails whenever _gmxLock == true, which is exactly when it is needed.
Tools Used
Manual Review
A GMX order is placed, setting _gmxLock = true.
The keeper attempts to call cancelFlow() to halt the operation.
The gmxLock modifier rejects the call because _gmxLock == true.
The operation remains locked, and the system cannot exit the flow.
Recommendations
Remove the gmxLock modifier from cancelFlow or modify the locking logic to allow cancellation during active flows. This ensures that cancellation is always available, aligning with the intended mechanism to abort ongoing actions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.