hack3r-0m - temporary DOS when `cancelOrder` and `executeOrder` features are disabled for a market at same time

[sherlock-admin]

hack3r-0m

medium

temporary DOS when cancelOrder and executeOrder features are disabled for a market at same time

Summary

temporary DOS when cancelOrder and executeOrder features are disabled for a market at same time

Vulnerability Detail

If there are pending orders to be executed for a market and due to some black swan event if both cancelOrder and executeOrder features are disabled by admin then user cannot cancel order and get their funds back.

protocol must ensure that whenever execute features are disabled then pending are guaranteed to be enabled for users to claim their funds back from associated vault since cancelling does not impact accounting of liquidity, position or swap.

Impact

user cannot claim back funds until either execute feature is enabled is and keeper executes action or cancel feature is enabled and user cancels order successfully

Code Snippet

• https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/exchange/OrderHandler.sol#L118
• https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/exchange/OrderHandler.sol#L207

Tool used

Manual Review

Recommendation

add checks in contract to ensure cancelling is enabled when executing is disabled

[hack3r-0m]

Escalate for 10 USDC

under https://docs.sherlock.xyz/audits/judging/judging#how-to-identify-a-medium-issue:

A material loss of funds, no/minimal profit for the attacker at a considerable cost

here, there is no attacker and hence no profit for attacker material loss of funds is time value of money (i.e due to temporary DOS, user cannot cancel order and obtain their funds back)

[sherlock-admin]

Escalate for 10 USDC

under https://docs.sherlock.xyz/audits/judging/judging#how-to-identify-a-medium-issue:

A material loss of funds, no/minimal profit for the attacker at a considerable cost

here, there is no attacker and hence no profit for attacker material loss of funds is time value of money (i.e due to temporary DOS, user cannot cancel order and obtain their funds back)

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[IllIllI000]

There is no loss of funds, and the 'DOS' is caused by the admin, which Sherlock does not reward

[hrishibhat]

Escalation rejected

There is no loss of funds, and temporary DOS in this case as by admins is not considered valid high/medium as they are trusted with these actions.

[sherlock-admin]

Escalation rejected

There is no loss of funds, and temporary DOS in this case as by admins is not considered valid high/medium as they are trusted with these actions.

This issue's escalations have been rejected!

Watsons who escalated this issue will have their escalation amount deducted from their next payout.