Untracked Curve vault yield causes underflow when withdraw and breaks the RToken interest mechanism
Summary
The LendingPool contract's totalVaultDeposits tracking mechanism can underflow when withdrawing funds that include accrued yield. This occurs because the protocol subtracts the full withdrawal amount from totalVaultDeposits without accounting for the portion that represents yield, potentially leading to underflow.
The second issue is the curveVault yield is excluded from reserves, creating a mismatch between the actual LendingPool liquidityIndex and the correct value(deposits + yield). This results in RTokens earning less interest than intended.
Vulnerability Details
**Underflow issue: **the LendingPool contract, when withdrawing from the vault:
PoC
Initial state:
Over time, the Curve vault has generated 10% yield:
Now a large withdrawal happens, let's say someone wants to withdraw 900 crvUSD:
To maintain the desired buffer ratio after this large withdrawal, _rebalanceLiquidity() will be called:
_withdrawFromVault(120) is called to cover this shortage:
The issue is that totalVaultDeposits only tracks original deposits (1000), but the protocol needs to withdraw both original deposits AND yield (120) to maintain its buffer ratio. Over time, as more yield accumulates and large withdrawals happen, the protocol will need to withdraw more and more of the yield, eventually leading to withdrawing more than what totalVaultDeposits tracks.
The untracked yield issue: even if the yield is properly withdrawn from the curveVault to meet the liquidity buffer ratio, this yield is not accounted in the reserves. This will cause the interest rates to be calculated based on incorrect liquidity data(value deposited, not value deposited + yield).
Impact
For the underflow:
DoS - Users will be prevented from withdrawing their funds.
Every function that relies on
_rebalanceLiquiditycan suffer DoS: deposit, withdraw, and borrow.
For the not accounted yield:
Users receive suboptimal interest rates for their RToken.
Interest rates are calculated based on incomplete liquidity data
The discrepancy grows larger as more yield accrues in the vault
Tools Used
Manual Review
Recommendations
To fix the underflow: Modify totalVaultDeposits to track the total value in the vault including yield, not just the original deposits. When yield is earned, increment totalVaultDeposits accordingly. This ensures withdrawals (including yield) won't cause underflows.
To fix the yield in the reserves: whenever withdrawing yield from the curveVaultupdate the ReserveLibrary.updateInterestRatesAndLiquidity() passing the yield as the amount added. i.e:
Lead Judging Commences
LendingPool::totalVaultDeposits can underflow when withdrawing yield-inclusive amounts and vault yield isn't factored into interest rate calculations
LendingPool::totalVaultDeposits can underflow when withdrawing yield-inclusive amounts and vault yield isn't factored into interest rate calculations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.