Vault might unexpectedly create a GMX order when Paraswap wass meant
Summary
When the keeper tries to open a short position (DexSwap) when there's a long 1x position(DexSwap) already opened by calling PerpetualVaulut::run(true, false,...) followed by PerpetualVaulut::runNextAction(...), a GMX order will be created and this is an unintended behavior.
Vulnerability Details
Internal Precondition
Long 1x leverage position is open (DexSwap)
Attack
Keeper calls
run(true, false,...)to open a short position => the long position will be closed (DexSwap)keeper calls
runNextAction(...)it should open a short position (DexSwap)
Chain of calls/subcalls for the 1st call:
Keeper =>
run(true, false,...)=>_runSwap(..., false, ...)=>_updateState(true, false)
=> _doDexSwap(..., false) => swap(...)
Current state:
nextAction.selector == NextActionSelector.INCREASE_ACTION(bool _isLong) = abi.decode(_nextAction.data, (bool)) = false
Chain of calls/subcalls for the 2nd call:
Keeper =>
runNextAction(...)=> [_doDexSwap(..., false)=>swap(...)]
=>_createIncreasePosition(false,...)=>gmxProxy.createOrder(...)
Impact
Protocol is not behaving as expected, triggering GMX when it wasn't ordered to.
Tools Used
Manual review
Recommendations
Fix the bug in order to never trigger GMX when it's not intended to be triggered.
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.