Unchecked Yearn States Lead to Failed Transactions if Max Limit Reached Or Vault Is In Shutdown State
Summary
The LendingPool's _depositIntoVault() function contains two safety check omissions when interacting with the Curve vault:
Fails to check the maximum deposit limit of the vault before attempting deposits. According to Yearn's v3 documentation, vaults have a maximum deposit limit that should be checked using the
maxDeposit()function.Does not check the vault's
isShutdown()state.
These missing checks can lead to failed transactions => which will make deposits into the LendingPool impossible
Vulnerability Details
Pre-Condition:
CurveVaultcontract is deployed and set in LendingPool viasetCurveVault()
The current implementation of _depositIntoVault() attempts to deposit funds without checking if the vault can accept the deposit amount and if it's in a shutdown state:
According to Yearn's documentation []:
> "The max amount that a vault will accept from an address can be returned using the maxDeposit function."
Impact
Failed deposit transactions => there is no way to disable the Vault deposits once the
LendingPool::setCurveVault()function has been called.The protocol can't receive any liquidity from Lenders
Tools used
Manual Review
Yearn Docs
Recommendations
Check for the maxDeposit value and if the Vault's limit has been reached only deposit the remaining amount and send the remaining crvUSD to the RToken contract
Also check for the isShutdown state and don't proceed if the Vault has been shutdown
Lead Judging Commences
LendingPool core operations revert if Curve vault is unavailable during rebalancing, even when sufficient liquidity exists in the pool
LendingPool core operations revert if Curve vault is unavailable during rebalancing, even when sufficient liquidity exists in the pool
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.