Misuse of counter Instead of depositId in Refund Logic
Summary
The refund logic in the PerpetualVault contract incorrectly references depositInfo[counter] instead of depositInfo[depositId], leading to refunds being based on the wrong deposit data.
Vulnerability Details
Within the _handleReturn function, the refund logic uses depositInfo[counter].owner and depositInfo[counter].executionFee to determine the refund recipient and amount. However, counter represents the total number of deposits and does not correspond to the specific depositId being processed. This mismatch causes the contract to reference incorrect deposit data instead of the intended depositInfo[depositId].
Impact
Refunds may be sent to the wrong user or calculated using incorrect fee amounts, leading to financial errors, potential fund misallocation, and user disputes.
Tools Used
Manual code review and analysis.
Recommendations
Modify the refund logic to use depositInfo[depositId].owner and depositInfo[depositId].executionFee instead of depositInfo[counter]. This ensures that the refund is calculated and sent based on the correct deposit’s data.
Lead Judging Commences
finding_counter_invalid_during_handleReturn
Likelihood: Medium/High, when withdraw on a 1x vault. Impact: High, the fees will be distributed to the last depositor and not the withdrawer.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.