Summary

During the processing of deposit cancellations, a vulnerability has been identified in the repay function within the contract. This function lacks essential validation and does not provide any feedback regarding the success or failure of transactions when repaying borrowed tokens to lending vaults. It's important to note that, as the LendingVault component falls outside the scope of this audit, we cannot guarantee the consistency of transaction success. The absence of validation raises a critical concern: transactions may silently fail to repay debt, ultimately leading to funds becoming stranded within the GMXVault.sol contract. Furthermore, during deposit and withdrawal actions, this issue can be compounded as funds are transferred to an address referred to as "trove," resulting in potential financial losses for lenders.

Vulnerability Details

Impact

The potential impact of this vulnerability includes:

Funds become trapped in the contract due to unsuccessful repayment transactions.
Losses for lenders as the deposit function may further move funds to the trove address without the debt being addressed.

Tools Used

Recommendations

1. Transaction Validation: Implement thorough validation in the repay function to ensure the success of debt repayment. This should include verifying that the transaction successfully repays the specified debt amounts.

2. Try/Catch Exception Handling: Implement a try/catch mechanism to handle exceptions and revert the transaction in case of failure. This approach can prevent the silent failure of transactions and provide clearer feedback on success or failure. Ensure that the catch block handles any exceptional scenarios gracefully.

3. Implement a Pull over Push Payment Pattern: Consider adopting a "Pull over Push" payment pattern. Restrict updates to the repayment mechanism to authorized keepers who manually trigger the repayments. This pattern allows for more control and predictability in debt repayment processes and helps prevent unauthorized or unintended transactions.