Incorrect Asset Withdrawal Destination in `LendingPool.borrow()`
Summary
The LendingPool.borrow() function ensures sufficient liquidity by withdrawing assets from the Curve vault using _withdrawFromVault(). However, the withdrawn assets are sent to the LendingPool contract instead of the RToken contract. Since the borrow() function attempts to transfer assets from the RToken contract to the borrower, this mismatch causes the borrow operation to fail due to insufficient balance in the RToken contract.
Vulnerability Details
The _withdrawFromVault() function withdraws assets from the Curve vault to the LendingPool contract. However, the borrow() function attempts to transfer assets from the RToken contract to the borrower. Since the assets are not sent to the RToken contract, the transferAsset() call fails due to insufficient balance.
LendingPool::_withdrawFromVault()
Impact
Borrow operations will fail, preventing users from accessing liquidity.
Tools Used
vscode
Recommendations
Modify the _withdrawFromVault() function to withdraw assets directly to the RToken contract instead of the LendingPool contract.
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.