Excess executionFee not getting refunded to the users
Summary
When a user deposits collateral tokens, they must pay an executionFee to create a GMX order based on their current position. The _payExecutionFee function ensures that msg.value is greater than minExecutionFee but does not enforce a maximum cap. This oversight can result in users' funds becoming stuck in the protocol
Similarly when user withdrawas collateral token and currentPositionKey is empty then user should not pay executionFee.
Vulnerability Details
current state, positionIsClosed == false.
user deposits collateral token with
msg.valueasminExecutionFee + 1e10The keeper creates an Order for the user and mints the necessary shares
as an GMX order was placed so their would be no refund leading to user not getting their fee back.
Impact
Users won't be able to get their excess fee back from the protocol and might have to pay executionFee even when position is closed.
Recommendations
Implement a Maximum cap on the msg.value in _payExecutionFee function so that the fee payed by the user won't exceed a certain limit.
Lead Judging Commences
invalid_deposit_positionIsClosed_does_not_refund_fees
Fees are not collected during that scenario, so no refund needed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.