User can never withdraw from a 1x leverage position without using the GMX swap.
Summary
In _handleReturn() the refunding of a depositId is done after the depositInfo[depositId] is deleted. This will always result in revert.
Vulnerability Details
Lets say the position is 1x leverage Open and a user calls withdraw(). (FLOW = FLOW.WITHDRAW)
Now the keeper calls runNextAction() inorder to swap the indexTokens to collatteralTokens by just using paraswaps. Hence no calls to GMX swap iis made.
This code will get executed.
refundFees is true here. Since no gmxCalls are been done.
Now lets check inside _handleReturn() .
https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/PerpetualVault.sol#L1143-L1150
in _burn(depositId)code depositInfo[depositId] is deleted and the check depositInfo[depositId].executionFee > usedFee is made after the this deletion.
Hence this txn will revert leading to the dos.
Impact
User can never withdraw from a 1x leverage position without using the GMX swap.
Tools Used
Manual
Recommendations
execute refund fees even before.
Lead Judging Commences
finding_burn_depositId_before_refund
Likelihood: High, every time a user withdraw on 1x vault with paraswap Impact: Medium, fees never claimed to GMX and refund to the owner.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.