Steadefi

Summary

As protocol doesn't collect rewards from GMX in each function, these rewards can be sent to the user.

Vulnerability Details

Each deposit, tokenA and tokenB balance is sent to the Trove. The same is done for the withdraw.

This is because protocol expects to receive rewards from GMX in form of these tokens. So amount is sent to the Trove function, so later it can be compounded.

The problem is that deposit and withdraw functions are not the only entry point that can send these rewards to user. For example, processDepositFailureLiquidityWithdrawal function will send whole balance to the user after repay is done.
Another example inside processDepositCancellation function, in case if depositParams.token is native, then whole balance is sent to user.

As after deposit or withdraw request was done, there is some delay, then during that delay rewards can come and they can be sent to the user.

Impact

Rewards are not sent to the Trove, but to the user.

Tools Used

VsCode

Recommendations

I can't give good recommendation for all that cases, as GMXCallback is triggered by GMX and you can't know exactly which amount was sent. But for processDepositCancellation function, you should not sent more than self.depositCache.depositParams.amt. So do not withdraw whole balance, but that amount.