Unused fee can never be refunded back to user in `_handleReturn`
Summary
For deposits, there can be execution fees to send to GMX proxies, after the order execution has finished, not all of provided gas amount will be used up, and those excess ones are sent back to user. In _handleReturn, the logic is in incorrect order, which will make intended refund not possible.
Vulnerability Details
Here at the end of _handleReturn:
If there is refund option set, and the function will try to refund excess execution fees back to user, but we notice, before the if branch, _burn is called, and in such function:
It deletes depositInfo[depositId] by setting all fields to empty value. Back in _handleReturn, execution fees to be refunded is calculated using depositInfo[depositId].executionFee > usedFee, but since depositInfo[depositId] has already been deleted, so this branch will never be reached, and the refund will never happen.
Impact
Some deposits' execution fee will never be refunded
Tools Used
Manual review
Recommendations
_burn after the refund logic.
Lead Judging Commences
finding_burn_depositId_before_refund
Likelihood: High, every time a user withdraw on 1x vault with paraswap Impact: Medium, fees never claimed to GMX and refund to the owner.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.