The `PerpetualVault::afterLiquidationExecution` function is missing the allocation for `isPositionClosed`.
Summary
The PerpetualVault::afterLiquidationExecution function is triggered by the gmxProxy contract when a liquidation callback is received from GMX. However, the function fails to set isPositionClosed to true when a position is liquidated during the deposit or withdraw flow, potentially causing unintended protocol behavior.
Vulnerability Details
current state, beenLong == true, leverage == 10_000, positionIsClose == false
User calls the withdraw function, nextAction.selector is set to NextActionSelector.WITHDRAW_ACTION.
The position get liquidated and
afterLiquidationExecutiongets called.as the current flow is withdraw so the
nextActionstays the same.keeper calls the
runNextfunction which calls the_withdrawfunctionThe _withdraw function checks if the
positionIsClosedis true or false.As the positionIsClosed is currently false and
_isLongOneLeverage(beenLong)is true, causing the protocol to place aMarketSwaporder with swapAmount as 0 leading to an error from the GMX as the position has been liquidated.
Impact
When withdrawing collateral tokens, the protocol bypasses the (positionIsClosed == true) check, which can result in incorrect fund transfers or prevent users from retrieving their funds.
Tools Used
Manual Review
Recommendations
Add a mechanism in the afterLiquidationExecution function to allocate isPositionClose to be true when the flow is withdraw and deposit.
Lead Judging Commences
invalid_liquidation_do_not_reset_positionIsClosed
"// keep the positionIsClosed value so that let the keeper be able to create an order again with the liquidated fund" Liquidation can send some remaining tokens. No real impact here.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.