Summary

A critical vulnerability exists in the settle function due to a hardcoded initialCollateralDeltaAmount value set to 1. This prevents complete withdrawal of user collateral from positions, leading to partial funds being permanently stuck in protocol contracts or exposed to liquidation risks. The flaw systematically jeopardizes user assets and violates core custodial obligations.

Vulnerability Details

Affected Code

Root Cause Analysis

1. Non-adaptive Withdrawal Logic:
   The initialCollateralDeltaAmount parameter is fixed at 1, regardless of the actual collateral amount in the position. This violates the fundamental requirement of full collateral withdrawal during settlement.

2. Position Data Ignorance:
   The function fails to query the current collateral amount via GMX's getPositionInfo before creating orders, using a static value instead.

3. Multi-Transaction Burden:
   To withdraw full collateral (N units), users must manually call settle() N times - an impractical expectation leading to guaranteed partial losses.

Technical Demonstration

1. Position Creation:

   • User deposits 100 ETH as collateral for a $1M position.

2. Settlement Trigger:

   • Protocol calls settle(), setting initialCollateralDeltaAmount=1.

3. Incomplete Withdrawal:

   • Only 1 ETH is withdrawn. Remaining 99 ETH:

     • If left in contract: Earns no yield and becomes inaccessible.

     • If market crashes: Gets liquidated, causing total loss.

4. Required Manual Intervention:

   • User must detect the issue and call settle() 99 more times (improbable in practice).

Impact

• Direct Fund Loss: Unwithdrawn collateral exposed to liquidation.