hack3r-0m - temporary DOS when `cancelOrder` and `executeOrder` features are disabled for a market at same time
Closed this issue · 5 comments
hack3r-0m
medium
temporary DOS when cancelOrder
and executeOrder
features are disabled for a market at same time
Summary
temporary DOS when cancelOrder
and executeOrder
features are disabled for a market at same time
Vulnerability Detail
If there are pending orders to be executed for a market and due to some black swan event if both cancelOrder
and executeOrder
features are disabled by admin then user cannot cancel order and get their funds back.
protocol must ensure that whenever execute features are disabled then pending are guaranteed to be enabled for users to claim their funds back from associated vault since cancelling does not impact accounting of liquidity, position or swap.
Impact
user cannot claim back funds until either execute feature is enabled is and keeper executes action or cancel feature is enabled and user cancels order successfully
Code Snippet
- https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/exchange/OrderHandler.sol#L118
- https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/exchange/OrderHandler.sol#L207
Tool used
Manual Review
Recommendation
add checks in contract to ensure cancelling is enabled when executing is disabled
Escalate for 10 USDC
under https://docs.sherlock.xyz/audits/judging/judging#how-to-identify-a-medium-issue:
A material loss of funds, no/minimal profit for the attacker at a considerable cost
here, there is no attacker and hence no profit for attacker
material loss of funds is time value of money (i.e due to temporary DOS, user cannot cancel order and obtain their funds back)
Escalate for 10 USDC
under https://docs.sherlock.xyz/audits/judging/judging#how-to-identify-a-medium-issue:
A material loss of funds, no/minimal profit for the attacker at a considerable cost
here, there is no attacker and hence no profit for attacker
material loss of funds is time value of money (i.e due to temporary DOS, user cannot cancel order and obtain their funds back)
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
There is no loss of funds, and the 'DOS' is caused by the admin, which Sherlock does not reward
Escalation rejected
There is no loss of funds, and temporary DOS in this case as by admins is not considered valid high/medium as they are trusted with these actions.
Escalation rejected
There is no loss of funds, and temporary DOS in this case as by admins is not considered valid high/medium as they are trusted with these actions.
This issue's escalations have been rejected!
Watsons who escalated this issue will have their escalation amount deducted from their next payout.