Users may cost additional interest

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXDeposit.sol#L199-L203

Summary

When a particular user deposit, if it is a case of executing processDepositCancellation after failing to add mobility. But the GMX callback is delayed for a period of time, during which the interest on the borrowed money will be borne by the user already in the vault, which is clearly unfair.

Vulnerability Details

When the processDepositCancellation function is executed, the repayment amounts are borrowTokenAAmt and borrowTokenBAmt. However, if there is a large delay in the GMX callback and more interest has been incurred, this interest is borne by the user in the vault. This situation, if it happens from time to time, accumulates to be a loss for the borrowing user.

  function processDepositCancellation(
    GMXTypes.Store storage self
  ) external {
    GMXChecks.beforeProcessDepositCancellationChecks(self);

    // Repay borrowed assets
    GMXManager.repay(
      self,
      self.depositCache.borrowParams.borrowTokenAAmt,
      self.depositCache.borrowParams.borrowTokenBAmt
    );

The same applies to other cases where repayment is made after borrowing but there may be delays during the period.

Impact

Users who borrow may pay more in interest.

Tools Used

manual

Recommendations

It is recommended to start calculating interest only after the liquidity has been successfully added.