Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

GmxProxy Whitelist Restriction Causes Callback Failures with Multiple OrderHandlers

wellbyt3

Summary

Because the validCallback modifier in GmxProxy only whitelists a single set of handlers, callbacks from a second OrderHandler cause the contract to revert—this breaks the deposit flow (since afterOrderExecution() never runs), leaving users’ funds deposited on GMX without receiving corresponding shares, ultimately resulting in lost funds.

Vulnerability Details

GmxProxy.sol recieves GMX callbacks via the afterOrderExecution() function. To avoid malicious callbacks from positions that don't belong to the PerpetualVault, the validCallback modifier is used:

modifier validCallback(bytes32 key, Order.Props memory order) {

require(

msg.sender == address(orderHandler) ||

msg.sender == address(liquidationHandler) ||

msg.sender == address(adlHandler),

"invalid caller"

);

require(order.addresses.account == address(this), "not mine");

}

According to the GMX documentation:

When creating a callback contract, the callback contract may need to whitelist the DepositHandler, OrderHandler or WithdrawalHandler, it should be noted that new versions of these handlers may be deployed as new code is added to the handlers, it is also possible for two handlers to temporarily exist at the same time, e.g. OrderHandler(1), OrderHandler(2), due to this, the callback contract should be able to whitelist and simultaneously accept callbacks from multiple DepositHandlers, OrderHandlers and WithdrawalHandlers

If there are two OrderHandlers, the GMXProxy will always revert when receiving callbacks from one of the two OrderHandlers.

This causes huge problems because the order will go through on the GMX side, but afterOrderExecution() won't run in the PerpetualVault.

During deposits to an open position, for example, shares are minted in afterOrderExecution, so the depositors funds will be add to the position, but they won't receive their shares causing loss of funds.

Impact

Loss of funds

Tools Used

Manual review

Recommendations

Allow for handling of multiple OrderHandlers.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_multiple_orderHandler_not_allowed_by_proxy

Likelihood: Low, when multiple orderHandler exist at the same time. Impact: High, some orders won’t trigger `afterOrderExecution` when they should, until the migration is complete. Leading to DoS and no share minted. Deploying a new proxy won’t change anything during all the “migration” since you cannot know which handler will respond.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!