Reentrancy Vulnerability in afterOrderExecution Allowing Potential Repeated Order Execution
Summary
The function afterOrderExecution in GmxProxy.sol is vulnerable to reentrancy due to an external call being made before state variables are updated. This allows an attacker to potentially re-enter the function and manipulate contract state in an unintended way.
Vulnerability Details
. The function interacts with an external contract (gExchangeRouter) to claim funding fees:
This external call could trigger arbitrary logic if the external contract is malicious or if it interacts with another user-controlled contract.
. The function then calls another external contract (IPerpetualVault):
If afterOrderExecution contains logic that calls back into GmxProxy, it could exploit the function before state variables are updated
. State update occurs AFTER external calls
PoC
Attacker Contract
The attacker contract would create an order and ensure execution of afterOrderExecution.
The attacker would then use the reentrancy attack to manipulate queue-related operations before deletion.
Impact
An attacker could manipulate the queue before it is deleted, leading to unintended execution of orders.
Potential double execution or order manipulation if an attacker reenters before state update.
Can lead to fund mismanagement or even DoS (Denial of Service) if exploited correctly.
Tools Used
Manual Review
Recommendations
Reorder the statements to update state variables before making external calls, i.e.:
This ensures that queue is cleared before any external function is executed.
-
Perform Checks-Effects-Interactions Pattern
Update state before external calls to reduce attack vectors.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.