DoS Due To Strict Loss Parameter
Summary
In the LendingPool.sol contract the _withdrawFromVault function sets maxLoss to 0, which can lead to lots of failed transfers and potentially DoS important functionality.
Vulnerability Details
The vulnerability arises from the _withdrawFromVault function, which sets the maxLoss parameter to 0 when calling the withdraw function of the Curve vault. The maxLoss parameter specifies the maximum acceptable loss in basis points during the withdrawal process. By setting it to 0, the function does not allow for any loss, which can result in more failed transfers if the vault cannot meet the exact withdrawal amount without incurring a small loss.
Impact
By not allowing any loss during withdrawals, the function may fail more frequently, leading to a denial of service (DoS) for important functionality such as liquidity rebalancing and user withdrawals. This can cause disruptions in the protocol's operations, affecting user experience and the overall stability of the system.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, update the _withdrawFromVault function to allow a small acceptable loss during withdrawals. This can be done by setting the maxLoss parameter to a reasonable value, such as 1%.
Lead Judging Commences
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.