Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: high
Valid

Incorrect owner address in _withdrawFromVault

Summary

Incorrect owner address in _withdrawFromVault

Vulnerability Details

In LendingPool::_withdrawFromVault(), we will withdraw some funds from the crvUSD Vault. In the curveVault.withdraw() function, the third parameter is the owner. We will burn this owner's crvUSD Vault's share.

The problem is that we use msg.sender as the owner. It means that when users withdraw funds, we will burn msg.sender's crvUSD vault's share. This is incorrect. Our protocol deposits the funds into the crvUSD Vault. So the owner of this withdraw should be our protocol.

function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}
@external
@nonreentrant("lock")
def withdraw(
assets: uint256,
receiver: address,
owner: address,
max_loss: uint256 = 0,
strategies: DynArray[address, MAX_QUEUE] = []
) -> uint256:

Impact

Incorrect owner parameter in curveVault.withdraw. This will cause that we cannot withdraw funds from the crvUSD Vault.

Tools Used

Manual

Recommendations

Set our protocol contract as the owner parameter in curveVault.withdraw().

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.