Incorrect Usage of counter Instead of depositId in _mint Function
Summary
The _mint function in PerpetualVault.sol incorrectly uses counter instead of depositId when processing execution fee refunds. This can lead to misdirected refunds, causing financial losses for depositors.
Vulnerability Details
In the _mint function, the refund logic references depositInfo[counter] instead of depositInfo[depositId]:
Expected: The function should reference depositInfo[depositId], as depositId represents the deposit currently being processed.
Actual: The function references depositInfo[counter], which may point to a different deposit, leading to incorrect refunds.
Impact
Loss of Funds: Refunds may be sent to the wrong user, causing financial loss for the correct recipient.
Incorrect Refund Amount: The refund amount might be miscalculated, leading to over- or under-refunding.
Potential DoS Risk: If depositInfo[counter] is invalid, the function could revert, blocking deposits under certain conditions.
Tools Used
Manual Code Review
Static Analysis Tools
Recommendations
Replace counter with depositId in the refund logic:
This ensures that refunds are correctly processed for the intended depositors, preventing fund misdirection and potential contract failures.
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.