Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

lobal Queue Overwriting and Single‑Order Assumption

pengu

GmxProxy.sol

Observation:
GmxProxy uses a single global variable, queue (of type OrderQueue), to store the request key and settlement flag for the active order. In both the createOrder and settle functions the new order’s request key is written into queue.requestKey, and later the callbacks (in afterOrderExecution and afterOrderCancellation) simply “delete queue” to clear it.

Issue Path:
This design assumes that only one order will be active at any given time. If the associated PerpetualVault (or an attacker who can manipulate vault calls) triggers multiple orders concurrently or before the previous order’s callback completes, the global queue can be overwritten. This leads to mismatches in callbacks—meaning the vault might process the wrong order’s results, misallocate funding fee claims, or even lose track of pending orders. Such behavior directly violates the protocol’s assumption of sequential, isolated order processing and can disrupt accurate share and fee accounting.

Recommendation:
Either redesign the proxy so that it supports multiple outstanding orders (for example, by using a mapping or an array keyed by requestKey) or ensure that the vault strictly enforces sequential order submissions so that a new order cannot be initiated until the previous one’s callback has been fully processed.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

invalid_queue_requestKey_overwrite

Order is proceed one by one and requestKey is only used to cancelOrder. I didn’t see any real scenario where it will cause a problem. Flow and gmxLock will prevent that to happen.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!