Deposits to the Curve vault will fail
Summary
All vault deposits fail due to misalignment between token holder (RToken contract) and the contract attempting to deposit (LendingPool).
Vulnerability Details
The deposit function in the LendingPool contract allows users to deposit reserve assets (crvUSD) and receive RTokens. The process follows these steps:
crvUSDis transferred from the user to theRTokencontract, which then mints RTokens to the user (usingReserveLibrary)The
depositfunction calls_rebalanceLiquidity. IfcurrentBufferexceedsdesiredBuffer,_depositIntoVaultis invoked
The issue occurs because:
All
crvUSDtokens are held by theRTokencontractThe Curve vault's deposit function attempts to transfer
crvUSDfrom themsg.sender(LendingPool)Even though
LendingPoolapproves the vault, the transfer will fail asLendingPooldoes not have the tokens
Impact
High: All vault deposits will fail, breaking core protocol functionality.
Recommendations
Fix the token flow to ensure the correct contract holds and transfers the assets.
Current flow (failing):
RToken (has tokens) -> Curve vault tries to take from LendingPool (no tokens)
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.