Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`GMXVault` contract missing withdraw function to rescue stuck native tokens

0xhals

Summary

GMXVault contract missing withdraw function to rescue stuck native tokens

Vulnerability Details

In GMXVault contract : almost all user-facing functions are payable (deposit and withdraw functions) in order to pay for the execution fees of the 3rd party (GMX exchange router keeper), and these functions doesn't implemnt a check on the sent msg.value if it's greater than the deposit execution fee or withdrawal execution fee, which will lead to some native tokens being stuck in the vault instead of being refunded for the user.

Impact

Since the GMXVault contract doesn't implement a withdrawal function for any residual native tokens; these native tokens will be stuck in the vault.

Proof of Concept

GMXVault.deposit function

function deposit(GMXTypes.DepositParams memory dp) external payable nonReentrant {
GMXDeposit.deposit(_store, dp, false);
}

GMXVault.withdraw function

function withdraw(GMXTypes.WithdrawParams memory wp) external payable nonReentrant {
GMXWithdraw.withdraw(_store, wp);
}

Tools Used

Manual Review.

Recommendations

Refund users the extra native tokens (msg.value- dp.executionFee) sent when calling GMX.deposit & GMX.withdraw functions.

Updates

Lead Judging Commences

hans Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.