Funds of a Victim User can be locked into Trove for compounding by a malicious User without permission
Summary
Post deposit operations if adding liquidity has been cancelled by GMX, then processDepositCancellation is called to repay borrowed assets and also to return user's deposited asset. This can be stopped by a malicious User by depositing some funds using GMXDeposit.sol::deposit.
Vulnerability Details
Post deposit, if the adding liquidity has been cancelled by GMX, then processDepositCancellation is called by keeper at :
https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXVault.sol#L366C1-L370C5
to do the necessary as said above. But if a malicious actor frontruns the Keeper to deposit a small amount of token into the same Vault , it would lead to sweepage of USER funds present in the contract to Trove for Compounding because of this following code present in the GMXDeposit.sol:deposit :
https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXDeposit.sol#L61C3-L66C6
This leads to temporary lockage of User Funds and User will not be able to withdraw it for any immediate needs.
Impact
Temporary Lockage of User Funds
Tools Used
Manual Review
Recommendations
If adding liquidity fails in GMXDeposit.sol::deposit function, then rather than making the cancelling process into another transaction, do it within the same transaction to avoid such vulnerabilities.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.