Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Execution fee refunds for DEX swaps don't work

fuzzysquirrel

Summary

When users wish to withdraw, they have to provide an execution fee with the assumption that the withdrawal will execute a GMX operation which costs a lot of gas. In some cases, dexes provide better prices for the operation so the gamma code will do a dex swap instead. In such dex swap withdrawals, the execution fee is not actually refunded, due to a bug.

Vulnerability Details

The _burn() function deletes the depositInfo[depositId] of the operation, after which the deleted struct is checked:

emit Burned(depositId, depositInfo[depositId].recipient, depositInfo[depositId].shares, amount);
_burn(depositId);
if (refundFee) {
uint256 usedFee = callbackGasLimit * tx.gasprice;
> if (depositInfo[depositId].executionFee > usedFee) {
try IGmxProxy(gmxProxy).refundExecutionFee(depositInfo[counter].owner, depositInfo[counter].executionFee - usedFee) {} catch {}
}
}

The check on the marked line will always fail, because the struct has been deleted, so executionFee will be zero, rather than what it was supposed to be.

Impact

Refunds of large amounts of gas will not occur, and will remain stuck in the contract until the admin calls withdrawEth()

Tools Used

Manual review

Recommendations

Copy the depositInfo to memory before deleting it, and use the copy for the refund

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_burn_depositId_before_refund

Likelihood: High, every time a user withdraw on 1x vault with paraswap Impact: Medium, fees never claimed to GMX and refund to the owner.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!