Relevant GitHub Links
Keys.MAX_CALLBACK_GAS_LIMIT is configurable param inside GMX protocol, which can be changed to value that is smaller than 2 millions. As Steadefi doesn't callback gas limit is hardcoded, deposits and withdraws can fail.
GMXWorker library is used to send requests directly to GMX protocol. It contains
removeLiquidity functions that will create request on GMX and will be waiting for execution. Both these functions set 2 millions of gas as
When deposit or withdraw request is handled on GMX side, then
callbackGasLimit is validated to be not bigger than it's allowed.
Keys.MAX_CALLBACK_GAS_LIMIT value is configurable and can be changed by GMX team. And in case if it will be less than 2 million, then all deposits and withdraws requests from steadefi will be reverted.
I leave this as medium severity, because of the fact that callback limit should be decreased first in order to create problems.
Deposits and withdraws from steadefi will be blocked.
callbackGasLimit to be configurable.