_depositIntoVault: Curve Deposits Always Revert Due to Incorrect Asset Ownership
Summary
A critical bug in the _depositIntoVault function prevents liquidity deposits into the Curve vault. The function incorrectly assumes that the LendingPool contract holds the assets, when in reality, the RToken contract does. This causes the deposit function to always revert, breaking the intended yield-generating mechanism.
Vulnerability Details
Root Cause:
The LendingPool contract calls
curveVault.deposit(amount, address(this)).However, the LendingPool does not hold the reserve assets—the RToken contract does.
As a result,
curveVault.depositalways fails, preventing any deposits.
Expected Behavior:
The deposit should be made from the RToken contract, not the LendingPool contract.
The RToken contract should approve and execute the deposit, ensuring assets are correctly moved into the Curve vault.
Impact
Deposits into the Curve vault are impossible, completely breaking this functionality.
Users miss out on yield generation, reducing the protocol’s efficiency.
Funds remain stuck in the RToken contract, never reaching the Curve vault.
Yield strategies relying on Curve are disrupted, leading to potential financial losses.
Tools Used
Manual Code Review
Recommendations
Fix: Use the RToken Contract for Deposits
Modify _depositIntoVault to ensure the RToken contract executes the deposit:
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.