Incorrect order of actions in _handleReturn
Summary
The _handleReturn function, responsible for calculating and returning collateral tokens to deposit recipient, has an issue with the fee refund process. The function first calls _burn, which deletes deposit information from depositInfo, and then attempts to refund the unused execution fee. Since depositInfo[depositId] is already deleted, the refund process fails due to missing owner and execution fee data.
Vulnerability Details
-
The
_handleReturnfunction calculates the amount of collateral tokens to be returned based on the deposit's share oftotalShares. -
After computing the amount, it calls
_transferTokento send the tokens to the deposit recipient. -
_burn(depositId)is called, which:Removes the deposit from
userDeposits.Decreases
totalShares.Deletes the
depositInfo[depositId]record.
-
If
refundFeeis true, the function attempts to refund the unused execution fee. -
However, since
_burnhas benn called first it has deleteddepositInfo[depositId], accessingdepositInfo[depositId].executionFeeresults in default value(0).
Impact
Refunds will always default to zero due to deleted deposit records.
Execution fee refunds will not be processed, causing a loss to depositors.
Tools Used
Manual Review
Recommendations
Follow the correct order of actions:
Refund the execution fee to the deposit owner if
refundFee = trueCall
_burnto delete the proper deposit information
Lead Judging Commences
finding_burn_depositId_before_refund
Likelihood: High, every time a user withdraw on 1x vault with paraswap Impact: Medium, fees never claimed to GMX and refund to the owner.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.