GmxProxy can't handle two output tokens when an order is decreased
Summary
If the GMX callback returns more than one output token, the GmxProxy.sol::afterOrderExecution function cannot handle the secondary token, resulting in the loss of track of the funds sent with this secondary token.
Vulnerability details
According the integration notes of GMX:
Decrease position orders can output two tokens instead of a single token, in case the decrease position swap fails, it is also possible that the output amount and collateral may not be sufficient to cover fees, causing the order to not be executed
If we examine GmxProxy.sol::afterOrderExecution(), when handling the output tokens and amounts, it only processes the first output token without checking if there is a secondary one:
This results in losing track of the funds for the secondary token. The data is then passed to the PerpetualVault.sol::afterOrderExecution() function, where depending on the action, it can lead to minting or withdrawing fewer tokens than expected.
Impact
Severe disruption of the protocol.
Loss of funds for the users.
Root cause
Not supporting two output tokens on GmxProxy.sol::afterOrderExecution() and PerpetualVault.sol::afterOrderExecution().
Tools used
Manual Review
Recommendations
Add the necessary logic in both afterOrderExecution() functions of both contracts to support receiving two output tokens.
Lead Judging Commences
invalid_decreasePositionOrder_ouput_two_tokens_not_handled
Guardian’s audit H-05.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.