Depositing in curve through `LendingPool::_rebalanceLiquidity` won't work as user funds are deposited into `RToken`
Summary
Users can deposit into the LendingPool to provide liquidity and receive RTokens. The problem arises in the deposit() function of the LendingPool. Whenever the current buffer in the LendingPool exceeds the desired level, the LendingPool transfers the excess tokens to the crvPool. However, this transfer cannot occur, as it tries to deposit from the pool to the vault, however, the user-deposited funds are transferred to the RToken and do not stay in the LendingPool.
Vulnerability Details
Whenever a user deposits in LendingPool, the pool will transfer all incoming funds to the RToken:
After that, before finishing the deposit transaction, the pool will check how much funds are in the RToken, compare them to a set buffer, and deposit any excess funds in a curve vault. However, when depositing to curve, it will try to transfer the funds directly from the pool, instead of the RToken, leading to a DoS of the deposit function.
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol#L772-L803
Impact
Once the buffer is reached it will result in permanent DoS of the LendingPool::deposit() function.
Tools Used
Manual review
Recommendations
Before depositing to the curve vault, transfer crvUSD from the RToken to the LendingPool.
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.