Relevant GitHub Links
Summary
Attacker can block GMXVault by setting registering himself as ui fee receiver on GMX and causing slippage check to always revert, when
processDepositFailure is called.Vulnerability Details
In case if deposit has decided to be failed, that means that
processDepositFailure function will be called by keeper in order to withdraw already deposited LP tokens and send received tokens to the depositor.processDepositFailure function calculates amount of tokenA and tokenB that it can get in exchange of LP tokens and also consider slippage. So in case if smaller amount will be received when GMX will do swap, then GMX withdrawal will revert. In order to send request to GMX removeLiquidity function is called, which will eventually call GMXWorker.removeLiquidity. This function sets self.refundee as uiFeeReceiver to the GMX withdraw request. In this case, self.refundee will be previous depositor, as this value is not changed by processDepositFailure function.Now let's check what is
uiFeeReceiver on GMX. This is actually entity that will receive percentage of your swaps on GMX. For withdrawing it will receive fee for both long and short tokens. Amount of fee depends on what ui fee receiver has provided to himself.So attacker can register himself as ui fee recipient and set his percentage high enough, so when
processDepositFailure is called on his deposit, then created withdrawal request will always revert with slippage error. As result system will stuck in Deposit_Failed status and will not be able work normally and emergency operations will be needed.Impact
GMXVault will be blocked.
Tools Used
VsCode
Recommendations
You don't need to use
uiFeeReceiver at all. Set it as 0 for both deposits and withdraws.