logo
Steadefi Documentation
/
Security
/
Audits
/
Codehawks Public Audit Mitigation Report

M-28. Users may cost additional interest

Submitted by Drynooo.

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXDeposit.sol#L199-L203

Summary

When a particular user deposit, if it is a case of executing processDepositCancellation after failing to add mobility. But the GMX callback is delayed for a period of time, during which the interest on the borrowed money will be borne by the user already in the vault, which is clearly unfair.

Vulnerability Details

When the processDepositCancellation function is executed, the repayment amounts are borrowTokenAAmt and borrowTokenBAmt. However, if there is a large delay in the GMX callback and more interest has been incurred, this interest is borne by the user in the vault. This situation, if it happens from time to time, accumulates to be a loss for the borrowing user.
plain text
function processDepositCancellation(
GMXTypes.Store storage self
) external {
GMXChecks.beforeProcessDepositCancellationChecks(self);

// Repay borrowed assets
GMXManager.repay(
self,
self.depositCache.borrowParams.borrowTokenAAmt,
self.depositCache.borrowParams.borrowTokenBAmt
);
The same applies to other cases where repayment is made after borrowing but there may be delays during the period.

Impact

Users who borrow may pay more in interest.

Tools Used

manual
L-04. Transfer Limit of UNI Tokens May Lead to a DoS and Token Loss Risk
L-19. Some tokens may cause `GMXEmergency:emergencyWithdraw` to revert if the withdrawn amount is 0
Powered by Notaku
Share
Content
M-28. Users may cost additional interest
Relevant GitHub Links
Summary
Vulnerability Details
Impact
Tools Used