Liquidity Management

Summary

The execution fee refund logic in PerpetualVault allows users to manipulate the refund process, potentially leading to excessive refunds or unexpected gas usage. Attackers can exploit this to drain execution fees from the protocol by artificially increasing gas prices or forcing unnecessary refunds.

Vulnerability Details

Functions Affected:

• _mint()

• _handleReturn()

Root Cause:

• The contract calculates execution fee refunds using tx.gasprice, but this can be artificially inflated by the user when submitting a transaction.

• The refund logic does not impose an upper limit, allowing users to force excessive refunds beyond actual gas costs.

• Refund attempts occur in a try-catch block without proper handling, meaning attackers can repeatedly attempt refunds until conditions are favorable.

PoC

Attackers can manipulate tx.gasprice to get higher-than-intended refunds:

1. Deposit funds while setting an artificially high gas price.

2. Trigger execution fee refund calculations in _mint() or _handleReturn().

3. Receive an excessive refund compared to actual gas costs.

4. Repeat the process to drain the protocol’s execution fee reserves.

Impact

• Excessive refunds can deplete protocol funds, leading to financial losses.

• Gas price manipulation allows users to drain ETH reserves by forcing unnecessary refunds.

• Potential DoS attack vector, where attackers repeatedly trigger refund logic with high gas prices.

Tools Used

Manual Review

Recommendations

• Set a maximum refund cap to prevent excessive refunds beyond reasonable gas costs.

• Use a fixed gas price estimation instead of tx.gasprice to calculate execution fees.

• Prevent multiple refund attempts by storing a refund claim state.

• Improve error handling in the try-catch block to avoid silent refund failures.