rebalanceLiquidity will fail in most of the cases.
Summary
rebalanceLiquidity is the function which maintain the 20:80 ratio of asset tokens in the RToken contract and curve vault. But this will get failed in most of the cases.
Vulnerability Details
When user will try to deposit function using the function LendingPool::deposit the execution will go as following deposit => ReserveLibrary::deposit in the function ReserveLibrary::deposit, the asset tokens will be transferred to the Rtoken address as we can see below.
Later in the execution _rebalanceLiquidity function will be called to maintain the ratio. And in case of currentBuffer > desiredBuffer the _depositIntoVault(excess); function will be called, which will call the deposit function in the curve vault, but this will get failed, as the RToken contract hold the assets not the Lending Pool, so the deposit into the vault will get failed.
Impact
rebalanceLiquidity will not work as intended and deposits will get failed.
Tools Used
Manual Review
Recommendations
First transfer the tokens to the LendingPool and after the liquidity balance the left amount should be transferred tot he RToken contract
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.