Liquidity Management

Summary

Loss of execution fee for the user when trying to withdraw the funds(liquidated fund) from the vault when the vault is liquidated.

Vulnerability Details

When the vault is liquidated the curPositionKey value becomes 0 but still, the value of the positionIsClosed remains false. Now to withdraw the funds from the vault user calls withdraw() function. Function calculates the execution fee using _payExecutionFee() function. In the _payExecutionFee function it calls getExecutionGasLimit() function and if the positionIsClosed == false then only fees is applied. In our condition the positionIsClosed is false and hence user has to pay for the (callback + MarketDecrease) two times because of the withdraw.

Now after paying the fee and because the curPositionKey = 0 it will directly call the _withdraw() function. Now it checks for if the positionIsClosed = true but in this case this will not be true and same with _isLongOneLeverage(beenLong). But curPositionKey value is 0 hence it will go inside the condition and call _handleReturn() function with arguments 0, true, false.

The third argument passed as false which represents the refundFee boolean. Now when the refundFee is passed as a false user will not get the refund of the fee.

Why it should refund the fee to the user:

1. Protocol took the fee for 2 callback and 2 execution but in this path it only calls only the _withdraw and _handleReturn function.

2. Protocol charges more amount to the user than it actually uses.

3. Hence it will be loss for the user that they have to pay extra.

Impact

Loss of fee for the user.

Tools Used

Manual Review

Recommendations