Liquidity Management

Summary

The refundExecutionFee function allows anyone to call it because there is no mechanism to verify the caller's (msg.sender) authority. This creates a security vulnerability, enabling attackers to perform unintended actions, such as sending fraudulent data, spamming callbacks, or wasting the contract’s resources.

Vulnerability Details

The refundExecutionFee function is a callback function designed to receive the remaining gas fee from GMX after executing orders. It takes the following parameters:

• key: A unique identifier for the order (request key).

• EventLogData: A structure containing event data information (such as addresses, integers, boolean values, etc.).

The function is marked as payable, allowing it to receive ETH from GMX during the callback.

The function does not perform any checks on msg.sender, meaning any address can call it. This leads to serious security risks:

• No source verification: GMX is not verified as the sole source allowed to call this callback function.

• No data validation: There are no checks to confirm the validity of key or EventLogData.

Impact

An attacker can send a fake key and EventLogData to manipulate the state or disrupt the logic related to orders on GMX.

Tools Used

Manual

Recommendations

Add a check for msg.sender to ensure that only trusted addresses (such as GMX) can call this function.