Missing Fee Deduction in Withdrawal Swap Flow
Summary
The runSwap() function triggers _handleReturn() with refundFee = true, assuming an execution fee was paid.
However, there is no mechanism in
_runSwap()or its related functions to actually deduct an execution fee for the withdrawal flow.This results in an inconsistent fee mechanism, where users may receive a refund for an execution fee they never paid.
Vulnerability Details
Keeper Calls
run()to withdraw
ifFLOW.WITHDRAW,runSwap()is executed to handle the withdrawal swap.Inside
_runSwap()
The function processes the swap then calls_handleReturn();
ISSUE:
refundFee = trueis hardcoded, but there was never an execution fee deduction anywhere in the flow.
Inside _handleReturn()
Since
refundFee = true, the contract attempts to refund an execution fee:
Key issue:
depositInfo[depositId].executionFee was never set or deducted, yet the contract tries to refund it.
This could lead to
Logical inconsistencies in accounting
Potential gas waste and unnecessary external calls
}
Tools Used
Manual Review
Recommendations
Option 1
-
Charge Execution fee before Swap Execution
Option 2
-
Prevent Refund when no fee was paid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.