Core Contracts

Summary

The _withdrawFromVault function in the LendingPool contract is responsible for rebalancing liquidity by withdrawing assets from curveVault. However, the function incorrectly sets msg.sender as the owner of the shares instead of address(this).

This function is executed in different paths:

1- withdraw > _rebalanceLiquidity > _withdrawFromVault

2- deposit > _rebalanceLiquidity > _withdrawFromVault

3- borrow > _rebalanceLiquidity > _withdrawFromVault

Vulnerability Details

1. A user calls withdraw(amount) to retrieve assets from LendingPool.

2. The function _ensureLiquidity(amount) is called to verify if there is enough liquidity.

3. If availableLiquidity < amount, it triggers _withdrawFromVault(requiredAmount).

4. Inside _withdrawFromVault, the contract calls:

   curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));

5. The curveVault.withdraw function has the following signature:

   function withdraw(

   uint256 assets,

   address receiver,

   address owner,

   uint256 maxLoss,

   address\[] calldata strategies

   ) external returns (uint256 shares);

6. In this call:

   1. receiver = address(this) (LendingPool)

   2. owner = msg.sender (user)

7. As a result, the function attempts to withdraw assets of the user (msg.sender) instead of withdrawing assets owned by LendingPool (address(this)).

8. It also should send assets to reserveRTokenAddress instead of address(this) or LendingPool

Impact

User transaction of withdraw/deposit/borrow reverts or user loses some of his assets in curveVault

Tools

vscode

Recommendations

correct format of _withdrawFromVault :