Medium Risk
https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/strategy/gmx/GMXDeposit.sol#L61-L66
As protocol doesn't collect rewards from GMX in each function, these rewards can be sent to the user.
Each deposit, tokenA and tokenB balance is sent to the Trove. The same is done for the withdraw.
This is because protocol expects to receive rewards from GMX in form of these tokens. So amount is sent to the Trove function, so later it can be compounded.
The problem is that deposit
and withdraw
functions are not the only entry point that can send these rewards to user. For example, processDepositFailureLiquidityWithdrawal
function will send whole balance to the user after repay is done.
Another example inside processDepositCancellation
function, in case if depositParams.token
is native, then whole balance is sent to user.
As after deposit or withdraw request was done, there is some delay, then during that delay rewards can come and they can be sent to the user.
Rewards are not sent to the Trove, but to the user.
VsCode
I can't give good recommendation for all that cases, as GMXCallback is triggered by GMX and you can't know exactly which amount was sent. But for processDepositCancellation
function, you should not sent more than self.depositCache.depositParams.amt
. So do not withdraw whole balance, but that amount.