Protocol goes completely broken if the `curveVault` is changed in `LendingPool`
Summary
Protocol goes completely broken if the curveVault is changed in LendingPool. This is due to the absence of withdrawing the funds from the old vault and depositing it to the new one as seen here:
Vulnerability Details
When the setCurveVault is called the vault is changed, but the funds from there are never withdrawn and deposited to the other vault. Imagine the following scenario:
The owner sets a vault and some time passes. during this time some
crvUSDis deposited in exchange for vault sharesThen a new, better vault appears and the owner changes the vault, which doesn't withdraw the assets from the old vault to deposit it to the new one
This leads to DoS for the whole
LendingPooland impossibility for liquidity providers to withdraw their assets and impossibility for users to borrow funds
After this the owner can't even go back to the old vault because at this moment in time some other users may deposited in the system and their funds may be deposited to the vault.
Overall this means a big loss of funds for the protocol and for the its users
Impact
This means a big loss of funds for the protocol and for the its users, because not every user will be able to withdraw
Tools Used
Manual Review
Recommendations
When changing the vault withdraw the funds from the old vault and deposit to the new one
Lead Judging Commences
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.