caventa
medium
Deposit and Withdrawal can be cancelled without sufficient time has passed from executeDeposit and executeWithdrawal
Deposit and Withdrawal can be cancelled without sufficient time has passed from executeDeposit and executeWithdrawal
function validateRequestCancellation(
DataStore dataStore,
uint256 createdAtBlock,
string memory requestType
) internal view {
uint256 requestExpirationAge = dataStore.getUint(Keys.REQUEST_EXPIRATION_BLOCK_AGE);
uint256 requestAge = Chain.currentBlockNumber() - createdAtBlock;
if (requestAge < requestExpirationAge) {
revert RequestNotYetCancellable(requestAge, requestExpirationAge, requestType);
}
}validationRequestCancellation (See code above) is called when controller cancels deposit and withdrawal directly. However, if the contract is cancelled after exception is thrown in executeDeposit or executeWithdrawal, the checking is skipped
Deposit and withdrawal can be cancelled without sufficient time to be has passed if exception is thrown in executeDeposit or executeWithdrawal
https://github.com/gmx-io/gmx-synthetics/blob/main/contracts/exchange/DepositHandler.sol#L71-L75 https://github.com/gmx-io/gmx-synthetics/blob/main/contracts/exchange/WithdrawalHandler.sol#L71-L75
Manual Review
Add the validation in executeDeposit and executeWithdrawal