Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: low
Valid

Improper fixed maxloss in _withdrawFromVault

Summary

Improper fixed maxloss in _withdrawFromVault

Vulnerability Details

In LendingPool::_withdrawFromVault(), we will withdraw funds from the crvUSD Vault. In this function curveVault.withdraw(), the fourth parameter is one fixed value, 0, it means that the max_loss bps. It means that we do not accept any loss from the crvUSD Vault.

function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}

In scrvUSDVault, the deposited funds will be deposited into strategies. In most cases, depositors do not need to take the loss. But if there is something wrong in the strategy, depositors have to take some loss. Because we set the max_loss to 0, it will cause our withdraw transaction will always be reverted.

def _redeem(
sender: address,
receiver: address,
owner: address,
assets: uint256,
shares: uint256,
max_loss: uint256,
strategies: DynArray[address, MAX_QUEUE]
) -> uint256:
"""
The vault will attempt to account for any unrealized losses taken on from
strategies since their respective last reports.
Any losses realized during the withdraw from a strategy will be passed on
to the user that is redeeming their vault shares unless it exceeds the given
`max_loss`.
"""

Impact

The withdraw transaction will always be reverted if there is some loss in the crvUSD vault.

Tools Used

Manual

Recommendations

Add one max_loss variable in the lending pool. The owner can set the variable according to the crvUSD vault's condition.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.