Incorrect Return Values in `ReserveLibrary.withdraw` function
Summary
A discrepancy in the return values of the ReserveLibrary.withdraw function results in incorrect data being returned to the LendingPool.withdraw function.
Vulnerability Details
The ReserveLibrary.withdraw function is expected to return three values: amountWithdrawn, amountScaled, and amountUnderlying. However, due to an implementation error, amountUnderlying is returned twice instead of amountWithdrawn. Specifically, the return statement incorrectly assigns amountUnderlying in place of amountWithdrawn:
Instead, it should return:
Impact
Incorrect Withdrawal Accounting: Since amountWithdrawn is never correctly assigned, users and the protocol itself may misinterpret the actual amount withdrawn.
Tools Used
Manual Review
Recommendations
Fix the Return Statement: Modify the return values in ReserveLibrary.withdraw to correctly return amountWithdrawn:
Lead Judging Commences
ReserveLibrary::withdraw returns amountUnderlying instead of amountWithdrawn, causing incorrect event emissions and potential calculation errors in LendingPool
ReserveLibrary::withdraw returns amountUnderlying instead of amountWithdrawn, causing incorrect event emissions and potential calculation errors in LendingPool
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.