Unnecessary Execution Fee Deduction for Withdrawals Without Keeper Action
Summary
In the PerpetualVault contract, when positionIsClosed == true, neither deposits nor withdrawals require a keeper action or GMXProxy calls. The function getExecutionGasLimit correctly returns 0 in these cases. However, there is a specific scenario where a withdrawal does not require a keeper action (i.e., after liquidation) nor does it call any ETH requiring function in the GMXProxy contract, but the execution fee is still deducted and not refunded. This occurs when _handleReturn is called directly from _withdraw because curPositionKey == bytes32(0) and positionIsClosed == false in the _withdraw function.
Vulnerability Details
Normally, transactions requiring keeper actions or ETH requiring
gmxProxyfunctions deduct an execution fee.When
positionIsClosed == true,getExecutionGasLimitreturns0, ensuring no execution fee is deducted.However, in the case of withdrawals occurring after liquidation (when
curPositionKey == bytes32(0)),_handleReturnis called directly, meaning a keeper action andgmxProxycall is not required.Despite no keeper action being required, the execution fee is still deducted but not refunded, leading to an unnecessary cost for the user.
Impact
Users are overcharged execution fees for withdrawals that do not require keeper actions or any gmxProxy call.
Recommendations
There should be a check to prevent after liquidation deduction of fees during withdrawal
Lead Judging Commences
invalid_withdraw_positionIsClosed_does_not_refund_fees
No fee needed in _payExecutionFee when position is closed. Make a PoC if you disagree.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.