Summary

When calling GMXProxy's createOrder and settle functions, ETH is required and sent to the gExchangeRouter. If these order are canceled and not completed by calling cancelOrder, the ETH is not refunded. The system is designed to recall these transactions without requiring additional ETH from the initiators. However, if cancelFlow() is called to completely exit the process, the ETH is still sent back to the user. If this scenario occurs multiple times, the GMXProxy contract will continue to loose ETH and can possibly run out of ETH, potentially disrupting operations.

Vulnerability Details

• ETH Required for GMX Orders:

  • createOrder and settle transactions require ETH, which is sent to gExchangeRouter.

  • If the transaction is canceled and retried, the ETH is not refunded.

  • The PerpetualVault contract expects to retry the flow but does not collect additional ETH from the user.

• Potential ETH Drain on GMXProxy:

  • If the process is repeated multiple times, GMXProxy will continue losing ETH since each retry consumes ETH but does not collect more from users.

  • When cancelFlow() is called, the user's ETH is refunded, but GMXProxy has already lost ETH to gExchangeRouter.

  • Over time, GMXProxy can run out of ETH, causing failures in order execution.

Impact

Loss of ETH in GMXProxy as a result of Order cancellation. i.e in a situation where there is a serious deviation in price. the keeper will keep retrying the tx and cacelling, thereby loosing eth.

Temporary DOS will occur if ETH is drained due to excessive cancellations. as nither cancelFlow nor order Retrial can be done. untill `gmxProxy` is funded by the protocol.