Inconsistent Execution Fee Handling
Summary
While the contract checks for underpayment of execution fees via msg.value < minExecutionFee, it fails to address overpayment and relies on users accurately predicting volatile gas costs. This leads to irreversible loss of excess ETH and UX friction due to rigid fee handling.
Vulnerability Details
Key Issues
-
No Refund for Overpayment
If
msg.value > minExecutionFee, the excess ETH is not returned to the user.Example:
minExecutionFee = 0.01 ETHbut user sends0.02 ETH→ 0.01 ETH is permanently lost.
-
Volatile
tx.gaspriceDependencyminExecutionFee = getExecutionGasLimit() * tx.gaspriceis calculated on-chain at transaction execution time.Users must guess future
tx.gaspricewhen submitting transactions, leading to:Underpayment: Transaction reverts if gas prices spike.
Overpayment: Excess ETH locked if gas prices drop.
-
ETH/ERC20 Coupling
Users must send ETH alongside ERC20 token transfers for
deposit(), creating friction:Requires managing two assets (ETH + ERC20).
Fails if either balance is insufficient.
Affected Code
Impact
Financial Loss: Users permanently lose overpaid ETH.
Transaction Failures: Unpredictable gas prices cause reverts even if users "guess" fees correctly initially.
Poor UX: Users must handle ETH alongside ERC20s and risk errors.
Proof of Concept (PoC)
Scenario: Overpayment Due to Gas Price Drop
-
User Action:
Calls
deposit(1000 USDC)whentx.gasprice = 20 gwei.minExecutionFee = 200,000 gas * 20 gwei = 0.004 ETH.User sends
0.005 ETH(25% overpayment).
-
Result:
Transaction succeeds, but 0.001 ETH is locked in
gmxProxywith no refund.
Scenario: Underpayment Due to Gas Spike
-
User Action:
Estimates
tx.gasprice = 10 gwei→ sends0.002 ETH.At execution,
tx.gasprice = 15 gwei→minExecutionFee = 0.003 ETH.
-
Result:
Transaction reverts → User wastes gas fees and must retry.
Recommended Mitigations
1. Refund Excess ETH
Modify _payExecutionFee to return unused ETH:
2. Decouple ETH from ERC20 Operations
Option A: Use ERC20 for fees (e.g., stablecoin) via approval/transferFrom.
Option B: Allow users to pre-fund ETH into the contract (e.g.,
depositEth()) and deduct fees from their balance.
3. Dynamic Fee Estimation
Provide an off-chain helper to estimate minExecutionFee based on real-time gas prices:
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Users mistake, only impacting themselves.
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
invalid_no_refund
According the sponsor, here is the design choice: - when there's gmx interaction, no refund. - when there's no gmx interaction, refund fee. The remaining fees are used for gas cost of the keepers.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.