Deposit Assets from `LendingPool` to Curve Vault Will Fail
Summary
The LendingPool.deposit() function transfers reserve assets from the user to the RToken contract. However, during liquidity rebalancing, the _depositIntoVault() function attempts to transfer assets from the LendingPool contract to the curveVault. Since the assets are held in the RToken contract and not the LendingPool, this results in a transaction failure due to insufficient balance.
Vulnerability Details
The _depositIntoVault() function assumes that the reserve assets are held in the LendingPool contract. However, the assets are actually transferred to the Rtoken contract during the deposit() process. As a result, the LendingPool contract does not have the required balance to execute the transfer, causing the transaction to fail.
LendingPool::_depositIntoVault()
Impact
Liquidity rebalancing will fail, preventing assets from being deposited into the curveVault.
Tools Used
vscode
Recommendations
Modify the _depositIntoVault() function to transfer assets from the Rtoken contract (where the assets are actually held) instead of the LendingPool contract.
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.