Summary

In the withdraw function, the contract attempts to reborrow assets and re-add liquidity after a withdrawal failure. However, if the borrow or addLiquidity calls fail, the function does not handle these failures. This could potentially leave the contract in a state where funds are stuck, and users cannot withdraw their assets.

Vulnerability Details

1. A user initiates a withdrawal request by calling the withdraw function.

2. The contract calculates the amount of LP tokens to remove and calls the borrow function to borrow the necessary assets.

3. Due to an unexpected condition (e.g., insufficient liquidity in the lending vault), the borrow call fails.

4. The contract does not handle this failure and continues to the addLiquidity call.

5. The addLiquidity call also fails because the necessary assets were not borrowed.

6. The contract is now in a state where the withdrawal request cannot be completed, and the user's funds are stuck in the contract.

Impact

If funds get stuck in the contract, users may not be able to withdraw their assets, leading to potential loss of funds. This could also erode trust in the protocol and negatively impact its reputation.

Tools Used

manual code review.

Recommendations

• Add error handling for the borrow and addLiquidity calls in the withdraw function. This could involve using a try-catch statement to catch any errors and handle them appropriately.

• Additionally, consider implementing a mechanism to recover funds in case they get stuck due to unforeseen circumstances.