Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect refund id usage in _handlereturn function

bladesec

Title

Incorrect refund id usage in _handlereturn function

Summary

The _handleReturn function incorrectly uses counter instead of depositId when processing refunds, leading to potential issues with accurate gas fee refunds for users.

Vulnerability Details

The issue occurs in the _handleReturn function within the PerpetualVault contract. Specifically, when handling refunds, the code uses counter to access depositInfo:

try IGmxProxy(gmxProxy).refundExecutionFee(depositInfo[counter].owner, depositInfo[counter].executionFee - usedFee) {} catch {}

This is problematic because counter always points to the most recent deposit, while depositId refers to the specific deposit being processed. If a user withdraws funds from an older deposit, counter won't match their deposit, leading to incorrect refund calculations or no refund at all.

Impact

Users may experience issues with gas fee refunds, including missing refunds or receiving the wrong amount.

Tools Used

Manual Review

Recommendations

Replace counter with depositId in the refund logic to ensure the correct deposit is referenced:

try IGmxProxy(gmxProxy).refundExecutionFee(depositInfo[depositId].owner, depositInfo[depositId].executionFee - usedFee) {} catch {}

This change aligns the refund logic with the rest of the function, which already uses depositId correctly.

Updates

Lead Judging Commences

n0kto Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_counter_invalid_during_handleReturn

Likelihood: Medium/High, when withdraw on a 1x vault. Impact: High, the fees will be distributed to the last depositor and not the withdrawer.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.