Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Always point to last deposit fee refund in _cancelFlow

0xkyosi

Summary

The cancelFlow function incorrectly refunds execution fees to the owner of the latest deposit instead of the current deposit being canceled. This is due to referencing depositInfo[counter] instead of using depositId extracted from flowData.

Vulnerability Details

Issue Description

  • The cancelFlow function is triggered by an off-chain keeper when a GMX order continuously fails.

  • If the flow is in DEPOSIT, it returns collateral to the deposit owner, removes the deposit from tracking structures, refunds the execution fee, and deletes deposit information.

  • If the flow is in WITHDRAW, it only refunds the execution fee.

  • However, when refunding execution fees, the function references depositInfo[counter], which always points to the last deposit made.

  • This means that if a user cancels an earlier deposit, the execution fee refund could be sent to the wrong owner.

Impact

  • Users may not receive their rightful refund if the execution fee is mistakenly sent to the latest depositor instead of the current one.

Tools Used

Manual Review

Recommendations

Extract the current withdrawal depositId and point to it.

(uint256 depositId) = flowData;
try IGmxProxy(gmxProxy).refundExecutionFee(
depositInfo[depositId].owner,
depositInfo[depositId].executionFee
) {} catch {}
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_counter_invalid_during_cancelFlow_after_withdrawing

Likelihood: Low, contract has to call cancelFlow after a withdraw, and the settle action is already executed by GMX. Impact: High, the fees will be distributed to the last depositor and not the withdrawer.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!