Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Improper fixed maxloss in _withdrawFromVault

x1485967

Summary

Improper fixed maxloss in _withdrawFromVault

Vulnerability Details

In LendingPool::_withdrawFromVault(), we will withdraw funds from the crvUSD Vault. In this function curveVault.withdraw(), the fourth parameter is one fixed value, 0, it means that the max_loss bps. It means that we do not accept any loss from the crvUSD Vault.

function _withdrawFromVault(uint256 amount) internal {

curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));

totalVaultDeposits -= amount;

}

In scrvUSDVault, the deposited funds will be deposited into strategies. In most cases, depositors do not need to take the loss. But if there is something wrong in the strategy, depositors have to take some loss. Because we set the max_loss to 0, it will cause our withdraw transaction will always be reverted.

def _redeem(

sender: address,

receiver: address,

owner: address,

assets: uint256,

shares: uint256,

max_loss: uint256,

strategies: DynArray[address, MAX_QUEUE]

) -> uint256:

"""

The vault will attempt to account for any unrealized losses taken on from

strategies since their respective last reports.

Any losses realized during the withdraw from a strategy will be passed on

to the user that is redeeming their vault shares unless it exceeds the given

`max_loss`.

"""

Impact

The withdraw transaction will always be reverted if there is some loss in the crvUSD vault.

Tools Used

Manual

Recommendations

Add one max_loss variable in the lending pool. The owner can set the variable according to the crvUSD vault's condition.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.