Depositing to the curve vault will always fail as we are sending out tokens we don't have
Summary
Depositing to the curve vault will always fail as we are sending out tokens we don't have
Vulnerability Details
The flow for supplying into the LendingPool involves transferring the asset of the pool (crvUSD), sending it to RToken and then getting minted RToken shares. After that, upon rebalancing the liquidity, we have this piece of code:
We are depositing the excess of the asset into the curve vault:
However, as seen above, we approve the curve vault for the amount and then call deposit() for it. This will simply revert as the crvUSD were sent to the RToken contract and we do not have access to them.
Impact
Rebalancing will be impossible, this will lead to a DOS of many functionalities when a deposit into the vault must happen
Tools Used
Manual Review
Recommendations
Implement a function on RToken to pull the tokens and then approve + deposit
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.