Users withdraw more assets than should when `mintFee` was called long ago
Summary
The amount of LP-tokens to withdraw is calculated at the GMXWithdraw.withdraw before the mintFee function is called. The mintFee function increases the totalSupply amount. This way users receive more tokens than should be at the current timestamp. The longer the period since the last mintFee was called the more excess tokens the user receives.
Vulnerability Details
The protocol mints vault token shares as management fees to protocol treasury with the mintFee function. This increases the totalSupply of the shares. The amount of minted fees depends on the time since the last mintFee call.
While withdrawal amount of LP-token can be calculated with outdated totalSupply:
The mintFee is called only after this calculation.
Impact
Users can receive excess amounts of tokens during withdrawal. Other users and the protocol management lose value of their shares.
Tools used
Manual Review
Recommendations
Consider calling the mintFee before the _wc.shareRatio calculation.
Lead Judging Commences
Fee not accounted during withdrawal
Impact: High Likelihood: High User share amount is calculated before minting fee and the remaining users will need to more fee than reasonable.
Withdraw share amount does not take the fee into account
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.