`LendingPool::setCurveVault` allows owner to update the vault without checking if there is any amount deposited
Summary
LendingPool::setCurveVaultcan be called by the owner to update the curveVault that will receive the values from rebalance transactions.
Vulnerability Details
The owner can update the vault address without manually checking totalVaultDeposits the variable, it will temporarily lock funds away until it is updated again. If a new address is added and also receives deposits, the liquidity would be split through different pool addresses.
Impact
Withdrawals will be temporarily halted, resulting in a denial of service for withdrawal functions. If this issue is identified after a delay, the situation can worsen, potentially fragmenting the protocol's liquidity across various vaults.
Tools Used
Code Review
Recommendations
Lead Judging Commences
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.