`LendingPool::_withdrawFromVault` expects shares to be burned from `msg.sender`; crvUsd will be locked in scrvUsd vault
Summary
LendingPool::_withdrawFromVault can't withdraw from scrvUsd Vault because vault.withdraw is called with owner == msg.sender; msg.sender doesn't hold vault's share.
Vulnerability Details
LendingPool integrates scrvVault for additional interest for LP.
The lending pool is rebalanced on each deposit/withdraw/borrow and liquidity is deposited or withdrawed from scrvUsdVault as required.
On deposit to vault shares are issued to LendingPool
In _withdrawFromVault, msg.sender is passed as the owner of the shares to be burned.
msg.sender in this case is the user who withdraw/ borrow from the LendingPool, he holds no scrvUsd vault shares. msg.sender is eronously passed to withdraw as the owner of the shares. Lending pool is unable to withdraw from scrvUsd vault.
Impact
Funds sent to scrvUsd vault are permanently locked.
Tools Used
Recommendations
Pass address(this) as the owner of shares to be burned.
Lead Judging Commences
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.