The _cancelFlow
function in the PerpetualVault
contract is designed to handle the cancellation of ongoing flows, including refunding the ExecutionFee
to the user. However, the current implementation uses a try-catch
block to handle potential failures in the refundExecutionFee
call without emitting an event. This lack of event emission makes it impossible for users to track whether the ExecutionFee
was successfully refunded, leading to potential confusion and a poor user experience.
The _cancelFlow
function attempts to refund the ExecutionFee
to the user using the refundExecutionFee
function from the gmxProxy
contract. The call is wrapped in a try-catch
block to handle potential failures, but no event is emitted if the refund fails.
Users may assume their ExecutionFee
was refunded when it was not, leading to dissatisfaction and disputes. The impact is Medium, the likelihood is Low, so the severity is Low.
Manual Review
To address this issue, the contract should emit an event when the ExecutionFee
refund fails. This event should include relevant details such as the recipient address and the amount of the ExecutionFee
.
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.