Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Keeper wont be able to cancel flow if depositor becomes blacklisted

vinica_boy

Summary

Keepers wont be able to cancel ongoing flow because trying to send back collateral to owner can revert due to blacklisting functionality of USDC.

Vulnerability Details

function _cancelFlow() internal {
if (flow == FLOW.DEPOSIT) {
uint256 depositId = counter;
// @audit blacklisted
collateralToken.safeTransfer(depositInfo[depositId].owner, depositInfo[depositId].amount);
totalDepositAmount = totalDepositAmount - depositInfo[depositId].amount;
EnumerableSet.remove(userDeposits[depositInfo[depositId].owner], depositId);
try IGmxProxy(gmxProxy).refundExecutionFee(
depositInfo[counter].owner,
depositInfo[counter].executionFee
) {} catch {}
delete depositInfo[depositId];
} else if (flow == FLOW.WITHDRAW) {
try IGmxProxy(gmxProxy).refundExecutionFee(
depositInfo[counter].owner,
depositInfo[counter].executionFee
) {} catch {}
}

Impact

Temporary DoS until admin manually update the flow state variable so that new deposits and withdrawals are available. Due to time-sensitiveness of withdraw and deposit operation such temporary DoS can lead to loss of funds for users. For example if they are longing ETH and ETH price starts going down, users wont be able to withdraw their funds.

Tools Used

Manual review.

Recommendations

Consider using try catch block.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_cancelFlow_blacklisted

Likelihood: Extremely Low, when user is blacklisted between the deposit/withdraw and cancelFlow is called by the Keeper. Impact: Medium/High, cancelFlow DoS.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!