Submission Details
Severity:
User should get redund when positionIsClosed.
Summary
In PerpetualVault::_withdraw function when positionIsClose is true then the user gets their collateral token based on the current collateral balance of the protcol, If there is no GMX order execution the fee would be refunded and if there isn't the fee won't be refunded.
so the user should get their fee refunded if the postion is closed.
Vulnerability Details
function _withdraw(uint256 depositId, bytes memory metadata, MarketPrices memory prices) internal {
...
>> if (positionIsClosed) {
_handleReturn(0, true, false);
} else if (_isLongOneLeverage(beenLong)) { // beenLong && leverage == BASIS_POINTS_DIVISOR
...
}
>> else if (curPositionKey == bytes32(0)) { // vault liquidated
_handleReturn(0, true, false);
} else {
....
}
}
Impact
user not getting their executionFee refunded.
Recommendations
function _withdraw(uint256 depositId, bytes memory metadata, MarketPrices memory prices) internal {
...
if (positionIsClosed) {
- _handleReturn(0, true, false);
+ _handleReturn(0, true, true);
} else if (_isLongOneLeverage(beenLong)) { // beenLong && leverage == BASIS_POINTS_DIVISOR
...
}
else if (curPositionKey == bytes32(0)) { // vault liquidated
- _handleReturn(0, true, false);
+ _handleReturn(0, true, true);
} else {
....
}
}
Updates
Lead Judging Commences
n0kto 7 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
invalid_withdraw_positionIsClosed_does_not_refund_fees
No fee needed in _payExecutionFee when position is closed. Make a PoC if you disagree.
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
1,91026 USDC / LOC
47,500
2,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.