Incorrect Withdrawal Amount Calculation After Liquidation
Summary
During liquidation on GMX, two tokens can be returned to the PerpetualVault. However, when users withdraw their funds after liquidation, only the collateral token balance is considered for calculating the withdrawal amount. This results in an unfair distribution, as any additional tokens returned from GMX liquidation are not included in the withdrawal calculation, potentially leaving withdrawers with less than their fair share.
Vulnerability Details
-
Liquidation on GMX:
-
When liquidation occurs, GMX can return two different tokens to the vault.
-
This typically includes:
The collateral token.
A secondary token
-
-
Incorrect Withdrawal Calculation:
The withdrawal function currently calculates the withdrawable amount based on only the collateral token balance:
uint256 balanceBeforeWithdrawal = collateralToken.balanceOf(address(this)) - withdrawn; amount = withdrawn + (balanceBeforeWithdrawal * shares) / totalShares;-
This excludes any secondary tokens returned during liquidation, meaning:
The vault keeps the additional tokens instead of distributing them.
Users who withdraw lose out on their rightful share of these assets.
Impact
Unfair distribution of funds: Withdrawers only receive collateral token-based amounts, even if other assets are available.
Recommendations
Modify the withdrawal function to account for both collateral and any other returned tokens.
Lead Judging Commences
invalid_decreasePositionOrder_ouput_two_tokens_not_handled
Guardian’s audit H-05.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.