Submission Details
Severity:
Wrong parameter passed in`curveVault.withdraw`in `LendingPool.sol` contract
Summary
The _withdrawFromVault function contains a very high vulnerability due to the parameter passed in the curveVault.withdraw function. The error stops the protocol from withdrawing funds smothly from the vault leading to liqudity shortages.
Vulnerability Details:
``
function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address);
totalVaultDeposits -= amount;
//!@Incorrect vault withdrawal in _withdrawalfrom vault
}
The vulnerability stems from the `withdrawVault` function when interacting with the curveVault specifically, the withdraw method is called with msg.sender as the owner parameter. However, the lending pool contract itself is the entity that made the deposit to the vault and thus holds the shares. Using msg.sender here is incorrect because when a user calls any function that triggers the `withdrawFromVault` function, the msg.sender becomes the user, not the lending pool contract. The `curveVault` will now check if the `msg.sender` has the shares to withdraw, which they do not have. This will cause the transaction to fail.
## Impact
The impact here is that any attempt to withdraw from the vault will fail. because the owner isn't the actual owner of the shares.
The liqudity rebalancing mechanism breaks leading to inconsistencies between the buffer and vault allaocations.
This could cause the protocol to become stuck, unable to fulfil users withdrawals and lending requests.
## Tools Used
Manual review
## Recommendations
Fixing this issue will involve changing the msg.sender parameter to `address(this)`
curveVault.withdraw(amount, address(this), address(this), 0, new address)
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.