Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Keeper can not call cancelFlow() if depositor gets blacklisted by USDC

t0x1c

Description

The execution path is cancelFlow() --> _cancelFlow() which attempts to transfer collateral token to the depositor:

function _cancelFlow() internal {
if (flow == FLOW.DEPOSIT) {
uint256 depositId = counter;
@--> collateralToken.safeTransfer(depositInfo[depositId].owner, depositInfo[depositId].amount);
// ... Rest of the code

If the depositor has gotten blacklisted by USDC at this point of time, then cancelFlow() will revert. There would be no way for the Keeper to now remove this flow and delete the depositInfo[depositId].

Impact

As the natspec mentions, the need for cancelFlow() is because:

/**
* @notice
* Cancel the current ongoing flow.
* @dev
* In the case of 1x long leverage, we never cancel the ongoing flow.
@-> * In the case of gmx position, we could cancel current ongoing
@-> * flow due to some accidents from our side or gmx side.
*/
function cancelFlow() external nonReentrant gmxLock {

As a result of this vulnerability, there would now be no way to cancel the current ongoing flow due to any accidents from Gamma's or GMX's side.

Mitigation

Wrap the collateralToken.safeTransfer() call in a try-catch block.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_cancelFlow_blacklisted

Likelihood: Extremely Low, when user is blacklisted between the deposit/withdraw and cancelFlow is called by the Keeper. Impact: Medium/High, cancelFlow DoS.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!