Incorrect Recipient and Amount in Refund Execution Fee
Summary
In the PerpetualVault::_handleReturn function, the code mistakenly calls refundExecutionFee using depositInfo[counter] instead of depositInfo[depositId]. This results in refunding the wrong caller address and amount when the deposit being withdrawn is not the most recent deposit (counter).
Vulnerability Details
Instead of using depositInfo[depositId].owner and depositInfo[depositId].executionFee - usedFee, the function references depositInfo[counter], causing potential misdirection of the refund.
When a user withdraws with depositId ≠ counter, they will not receive the correct refund, and another (last) depositor might inadvertently receive it. This can lead to loss of funds for the withdrawing user.
Here is the code snippet that is vulnerable:
Impact
Funds intended for the user making the withdrawal can be incorrectly sent to the user who made the most recent deposit. This causes a direct financial loss for the withdrawing user and an unexpected gain for the last depositor.
Tools Used
Manual Review
Recommendations
Replace the usage of depositInfo[counter] with depositInfo[depositId] when calling refundExecutionFee. For example:
Lead Judging Commences
finding_counter_invalid_during_handleReturn
Likelihood: Medium/High, when withdraw on a 1x vault. Impact: High, the fees will be distributed to the last depositor and not the withdrawer.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.