H-01. Block of GMXVault by using GMX UI fee

Submitted by rvierdiiev, NeverGonnaGiveYulUp. Selected submission by: rvierdiiev.

Relevant GitHub Links


Attacker can block GMXVault by setting registering himself as ui fee receiver on GMX and causing slippage check to always revert, when processDepositFailure is called.

Vulnerability Details

In case if deposit has decided to be failed, that means that processDepositFailure function will be called by keeper in order to withdraw already deposited LP tokens and send received tokens to the depositor.
processDepositFailure function calculates amount of tokenA and tokenB that it can get in exchange of LP tokens and also consider slippage. So in case if smaller amount will be received when GMX will do swap, then GMX withdrawal will revert. In order to send request to GMX removeLiquidity function is called, which will eventually call GMXWorker.removeLiquidity. This function sets self.refundee as uiFeeReceiver to the GMX withdraw request. In this case, self.refundee will be previous depositor, as this value is not changed by processDepositFailure function.
Now let's check what is uiFeeReceiver on GMX. This is actually entity that will receive percentage of your swaps on GMX. For withdrawing it will receive fee for both long and short tokens. Amount of fee depends on what ui fee receiver has provided to himself.
So attacker can register himself as ui fee recipient and set his percentage high enough, so when processDepositFailure is called on his deposit, then created withdrawal request will always revert with slippage error. As result system will stuck in Deposit_Failed status and will not be able work normally and emergency operations will be needed.


GMXVault will be blocked.

Tools Used



You don't need to use uiFeeReceiver at all. Set it as 0 for both deposits and withdraws.