RefundFee refunds smaller portion of the fee when only dexSwap
Summary
When a position for PerpetualVault is opened with 1x leverage, deposits are executed using Paraswap instead of GMX. However, the account is charged the full execution fee, and a refund is attempted for the unused portion (executionFee - callbackGasLimit * tx.gasprice). The issue arises because the callback function is never executed, yet the refund logic assumes it was. Callback is only called only when GMX is used. This results in an incorrect refund calculation and potential loss of funds for the user.
Vulnerability Details
The refund logic in the code snippet assumes that the callback function is executed and calculates the refund based on the callbackGasLimit. However, when using Paraswap for 1x leverage deposits, the callback function is never invoked. Despite this, the protocol attempts to refund the difference between the executionFee and the calculated usedFee (which is based on callbackGasLimit * tx.gasprice). This leads to the following issues:
Incorrect Refund Calculation: The refund calculation assumes the callback function was executed, but it was not. This results in an incorrect refund amount being sent back to the user.
Impact
Users are charged an incorrect fee amount due to the flawed refund logic, resulting in a loss of funds.
Tools Used
Manual code review.
Recommendations
Modify the refund logic to account for cases where the callback function is not executed. If the callback is not invoked, the entire executionFee should be refunded to the user.
Lead Judging Commences
finding_deposit_dexSwap_refund_deduct_incorrect_usedFee
Likelihood: Medium/High, deposit in 1x vault with Paraswap Impact: Low/Medium, not enough refund for executino fees.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.