M-16. Rewards from GMX are sent to Trove only in deposit and withdraw functions

Submitted by rvierdiiev.

Relevant GitHub Links


As protocol doesn't collect rewards from GMX in each function, these rewards can be sent to the user.

Vulnerability Details

This is because protocol expects to receive rewards from GMX in form of these tokens. So amount is sent to the Trove function, so later it can be compounded.
The problem is that deposit and withdraw functions are not the only entry point that can send these rewards to user. For example, processDepositFailureLiquidityWithdrawal function will send whole balance to the user after repay is done. Another example inside processDepositCancellation function, in case if depositParams.token is native, then whole balance is sent to user.
As after deposit or withdraw request was done, there is some delay, then during that delay rewards can come and they can be sent to the user.


Rewards are not sent to the Trove, but to the user.

Tools Used



I can't give good recommendation for all that cases, as GMXCallback is triggered by GMX and you can't know exactly which amount was sent. But for processDepositCancellation function, you should not sent more than self.depositCache.depositParams.amt. So do not withdraw whole balance, but that amount.