Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect fee refund target in _handleReturn

0xkyosi

Summary

The _handleReturn function incorrectly refunds execution fees to the owner of the latest deposit instead of the current deposit being withdrawn. This is due to referencing depositInfo[counter] instead of using depositId extracted from flowData.

Vulnerability Details

Issue Description

  • The _handleReturn function is called during the WITHDRAW flow.

  • The flowData contains the depositId corresponding to the withdrawal.

  • However, when refunding execution fees, the function references depositInfo[counter], which always points to the last deposit made.

  • This means that if a user withdraws an earlier deposit, the execution fee refund could be sent to the wrong owner.

  • Instead of using depositInfo[depositId], the function mistakenly uses depositInfo[counter], leading to incorrect refunds.

Impact

  • Users may not receive their rightful refund if the execution fee is mistakenly sent to the latest depositor instead of the current one.

  • Execution fee refunds will not correspond correctly to the deposit being withdrawn, leading to financial inconsistencies.

Tools Used

Manual Review

Recommendations

Ensure that execution fee refunds are based on the depositId from flowData (current deposit) instead of counter (last deposit).

try IGmxProxy(gmxProxy).refundExecutionFee(depositInfo[depositId].owner, depositInfo[depositId].executionFee - usedFee) {} catch {}
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_counter_invalid_during_handleReturn

Likelihood: Medium/High, when withdraw on a 1x vault. Impact: High, the fees will be distributed to the last depositor and not the withdrawer.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!