H-10. Users withdraw more assets than should when `mintFee` was called long ago

Submitted by pontifex.

Relevant GitHub Links


The amount of LP-tokens to withdraw is calculated at the GMXWithdraw.withdraw before the mintFee function is called. The mintFee function increases the totalSupply amount. This way users receive more tokens than should be at the current timestamp. The longer the period since the last mintFee was called the more excess tokens the user receives.

Vulnerability Details

The protocol mints vault token shares as management fees to protocol treasury with the mintFee function. This increases the totalSupply of the shares. The amount of minted fees depends on the time since the last mintFee call.
plain text
function mintFee() public { _mint(_store.treasury, GMXReader.pendingFee(_store)); _store.lastFeeCollected = block.timestamp; }
While withdrawal amount of LP-token can be calculated with outdated totalSupply:
plain text
67 _wc.shareRatio = wp.shareAmt 68 * SAFE_MULTIPLIER 69 / IERC20(address(self.vault)).totalSupply(); 70 _wc.lpAmt = _wc.shareRatio 71 * GMXReader.lpAmt(self) 72 / SAFE_MULTIPLIER; 101 self.vault.mintFee();
The mintFee is called only after this calculation.


Users can receive excess amounts of tokens during withdrawal. Other users and the protocol management lose value of their shares.

Tools used

Manual Review


Consider calling the mintFee before the _wc.shareRatio calculation.