Submission Details
Severity:
The `_handleReturn` function uses incorrect deposit ID for execution fee refund
Summary
The _handleReturn function uses incorrect deposit ID for execution fee refund
Vulnerability Details
contracts/PerpetualVault.sol#L1129
When executing the refund logic, it first checks the balance of depositId with depositInfo[depositId].executionFee > usedFee, but then sends the funds to depositInfo[counter].owner.
if (refundFee) {
uint256 usedFee = callbackGasLimit * tx.gasprice;
if (depositInfo[depositId].executionFee > usedFee) { // @audit depositInfo[counter] -> depositInfo[depositId]
try IGmxProxy(gmxProxy).refundExecutionFee(depositInfo[counter].owner, depositInfo[counter].executionFee - usedFee) {} catch {}
}
}
Impact
This causes users to lose funds.
Tools Used
Recommendations
Recommended fix:
if (refundFee) {
uint256 usedFee = callbackGasLimit * tx.gasprice;
if (depositInfo[depositId].executionFee > usedFee) {
try IGmxProxy(gmxProxy).refundExecutionFee(depositInfo[depositId].owner, depositInfo[depositId].executionFee - usedFee) {} catch {}
}
}
Updates
Lead Judging Commences
n0kto 6 months ago
Submission Judgement Published Assigned finding tags:
finding_counter_invalid_during_handleReturn
Likelihood: Medium/High, when withdraw on a 1x vault. Impact: High, the fees will be distributed to the last depositor and not the withdrawer.
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
1,91026 USDC / LOC
47,500
2,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.