H-05. Withdraw function provides more funds to withdrawer

Submitted by rvierdiiev, Drynooo, hash. Selected submission by: rvierdiiev.

Relevant GitHub Links


Because mintFee is called later then user's supply ratio calculation, then this ratio is bigger than in reality and user receives more funds.

Vulnerability Details

When user calls withdraw, then he provides shareAmt, which is amount of GMXVault shares to withdraw. Then function calculates user's supply ratio as shareAmt / totalSupply. Then according to that ratio it's possible to understand how many GMX lpAmt should be withdrawn for user.
Later this function will do one more thing: it will mint fee for protocol. This function will increase totalSupply. Protocol accrues fee for each second and in order to get correct amount you should use not totalSupply, but totalSupply + GMXReader.pendingFee.
As result, totalSupply is less than in reality and user receives bigger ration and withdraws more assets.
Exactly same problem has GMXEmergency.emergencyWithdraw function. And overall, incorrect totalSupply function can create integration issues for other protocols.


User withdraws more than should.

Tools Used



Do minting before calculation of supply ratio. Or better override totalSupply function to return supply with pending fees.