Incorrect Used Fee Calculation
Summary
The contract PerpetualVault has a vulnerability in the _mint and _handleReturn functions where the usedFee does not represent the actual gas fee incurred but rather a limit based on an estimated gas price.
Vulnerability Details
In the _mint and _handleReturn functions, the contract calculates the usedFee as follows:
This calculation uses a predefined callbackGasLimit and the current transaction gas price (tx.gasprice). However, this does not accurately reflect the actual gas used in the transaction. This discrepancy can lead to two problematic scenarios:
If the actual gas usage is lower than the estimated limit, the keeper will not be refunded the full amount of gas used.
If the actual gas usage is higher than the estimated limit, the keeper will be refunded more than the actual gas fee incurred.
Impact
The incorrect calculation of the gas fee can lead to financial discrepancies:
Keepers may incur losses if they are not fully refunded for the gas used.
The vault may incur losses if it over-refunds keepers for the gas used.
Over time, these discrepancies can accumulate, leading to significant financial risks for either the keepers or the vault.
Tools Used
Manual Review
Recommendations
To address this issue, the contract should calculate the gas fee based on the actual gas used in the transaction. This can be achieved by using the gasleft() function to measure the gas used before and after the transaction, and then calculating the fee accordingly:
This approach ensures that the keeper is refunded the exact amount of gas used, preventing any financial discrepancies.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.