Relevant GitHub Links
Attacker can block GMXVault by setting registering himself as ui fee receiver on GMX and causing slippage check to always revert, when
processDepositFailure is called.
In case if deposit has decided to be failed, that means that
processDepositFailure function will be called by keeper in order to withdraw already deposited LP tokens and send received tokens to the depositor.
processDepositFailure function calculates amount of tokenA and tokenB that it can get in exchange of LP tokens and also consider slippage. So in case if smaller amount will be received when GMX will do swap, then GMX withdrawal will revert. In order to send request to GMX
removeLiquidity function is called, which will eventually call
GMXWorker.removeLiquidity. This function sets
uiFeeReceiver to the GMX withdraw request. In this case,
self.refundee will be previous depositor, as this value is not changed by
Now let's check what is
uiFeeReceiver on GMX. This is actually entity that will receive percentage of your swaps on GMX. For withdrawing it will receive fee for both long and short tokens. Amount of fee depends on what ui fee receiver has provided to himself.
So attacker can register himself as ui fee recipient and set his percentage high enough, so when
processDepositFailure is called on his deposit, then created withdrawal request will always revert with slippage error. As result system will stuck in
Deposit_Failed status and will not be able work normally and emergency operations will be needed.
GMXVault will be blocked.
You don't need to use
uiFeeReceiver at all. Set it as 0 for both deposits and withdraws.