Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

State Desynchronization Leading to Double-Spending

kimnoic

Summary

A critical vulnerability exists in the runNextAction function due to improper synchronization of state variables during multi-step operations. This allows attackers to manipulate residual swap/withdrawal progress data, leading to double-spending of vault funds. The root cause is the failure to fully reset swapProgressData and flowData states between asynchronous operations.

Vulnerability Details

Technical Background

The runNextAction function handles complex workflows involving GMX positions and DEX swaps. Critical state variables like swapProgressData track partial swap executions, while flowData stores context for ongoing operations. These states are not atomically updated across GMX callbacks and swap operations.

Affected Code

Incomplete state reset in swap handling:

function _runSwap(bytes[] memory metadata, bool isCollateralToIndex, MarketPrices memory prices) internal returns (bool) {
// Partial swap execution updates swapped/remaining but...
swapProgressData.swapped += _doDexSwap(data, isCollateralToIndex);
// ...no cleanup if next GMX swap fails
}
function afterOrderCancellation(...) external {
// Retains swapProgressData.remaining on GMX failures
nextAction.data = abi.encode(swapProgressData.remaining, ...);
}

Impact

  1. Partial swap states enable reuse across unrelated operations

  2. Residual flowData allows cross-user fund contamination

  3. No isolation between deposit/withdrawal contexts

Tools Used

Manual Code Review

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!