Withdrawal Process State Inconsistency Risk
Summary
A critical vulnerability has been identified in the withdrawal process of the PerpetualVault contract, where improper state management after failed GMX operations could lead to fund misallocation, duplicate withdrawals, or permanent asset locking. This vulnerability stems from incomplete state resets when GMX position reduction requests fail, leaving residual transaction data that may be reused in subsequent operations.
Vulnerability Details
Technical Background
The withdrawal process utilizes state variables (nextAction and flowData) to track multi-step operations. When GMX position reduction fails (via afterOrderCancellation callback), these states aren't fully reset, creating orphaned references to previous requests.
Affected Code
Impact
Double-Withdrawal Attacks
Malicious actors could replay failed withdrawal states to drain funds.Permanent Locking
Orphaned states may block legitimate withdrawals by creating inconsistent ledger.
Tools Used
Manual Review
Lead Judging Commences
invalid_afterOrderCancellation_do_not_reset_nextAction
Normal behavior, the keeper will retry to increase the position. That’s why there is this condition in `_createIncreasePosition`: ``` if (flow == FLOW.DEPOSIT) { amountIn = depositInfo[counter].amount; flowData = vaultReader.getPositionSizeInTokens(curPositionKey); } else { amountIn = collateralToken.balanceOf(address(this)); } ```
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.