Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Inconsistent Deposit Identifier Usage in Fee Refunds

pengu

PerpetualVault.sol

Observation:
In both the minting and withdrawal flows the refund logic uses the global counter (i.e. depositInfo[counter]) instead of the deposit identifier that is actually being processed. For example, in the internal function for minting:

if (refundFee) {
uint256 usedFee = callbackGasLimit * tx.gasprice;
if (depositInfo[counter].executionFee > usedFee) {
try IGmxProxy(gmxProxy).refundExecutionFee(
depositInfo[counter].owner,
depositInfo[counter].executionFee - usedFee
) {} catch {}
}
}

Risk:
If a user’s deposit does not correspond to the current counter value—for instance, when multiple deposits are in play or flows are interleaved—this mismatch can cause the contract to refund (or not refund) the wrong amount. An attacker controlling deposits or by triggering unexpected flows could manipulate fee accounting, possibly redirecting refunds or “stealing” extra fee amounts.

Recommendation:
Always refer to the actual deposit identifier (e.g. using a local variable passed as a parameter) rather than relying on the global counter. This ensures that refunds are correctly tied to the deposit in question.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Suppositions

There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!