Incorrect address to withdraw collateral tokens from Curve Vault when there is shortage of liquidity
Summary
Whenever we want to rebalance the liqudity for the collateral token(crvUSD)(if the amount of tokens exceed the desiredBuffer) or ensure there is enough liqudity for withdraws and borrows in the LendingPool we withdraw funds from a Curve Vault. The logic for withdraw incorrectly transfers the tokens to the current address(the LendingPool) instead of the reserveRTokenAddress address.
Vulnerability Details
Following the logic for borrowing or withdrawing crvUSD tokens, the assets are transfered from the reserveRTokenAddress, which is the address that holds the collateral tokens received from deposits and repayments of borrows, to the user. Withdrawing from the vault to the LendingPool address does not improve the liquidity in terms of the reserveRTokenAddressaddress and borrows/withdraws that exceed the balance of colaterall tokens of reserveRTokenAddress would fail.
Impact
Withdraws and borrows that need additional funds to be withdrawn from the Vault would fail as vault withdraws transfer collateral token to the wrong (LendingPool) address.
Tools Used
Manual Review
Recommendations
Withdraw collaterall tokens from Vault to the reserve.reserveRTokenAddress address instead of address(this).
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.