Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

The `_withdrawFromVault` function withdraws funds to `LendingPool` instead of `rToken` leading to DoS for `withdraw` and `borrow` functions

kirobrejka

Summary

The _withdrawFromVault function withdraws funds to LendingPool instead of rToken leading to DoS for withdraw and borrow functions.

Vulnerability Details

By taking a look into the _withdrawFromVault function we realise that it withdraws funds to the LendingPool instead of withdrawing them to the rToken:

function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(
amount,
address(this),
msg.sender,
0,
new address[](0)
);
totalVaultDeposits -= amount;
}

This can be seen in the VaultV3 implementation provide by the protocol team (The link can be found in the chat. For some odd reason I can't post it here).

This will eventually lead to DoS for the LendingPool::withdraw and LendingPool::borrow functions, since this will leave the rToken contract with no funds to send to the users.

Impact

DoS of key protocol functionality

Tools Used

Manual Review

Recommendations

Withdraw the funds from the vault to the rToken address by following the vault implementation or when they are withdrawn to the lending pool, transfer them to the rToken address

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!