Withdrawing additional assets for borrows does not work
Summary
If a user wants to borrow tokens and there isn't enough liquidity to cover the borrow, the LendingPool will attempt to withdraw liquidity from the Vault but it withdraws it to the wrong address.
Vulnerability Details
If a user wants to borrow tokens from the LendingPool, the _ensureLiquidity() function is called to make sure there is enough liquidity for the borrow:
If the borrow amount is more than the available liquidity, it will withdraw the difference from the vault. The liquidity in the protocol in general, is in the reserveRTokenAddress (the function also checks the available liquidity in that address), since when users deposit, their tokens are transferred there as well.
The issue is that the _withdrawFromVault function actually withdraws the tokens to address(this) which is the LendingPool:
Essentially making the whole request for liquidity pointless. Later in the borrow function flow it will still revert due to missing liquidity since it will try to pull it from the reserveRTokenAddress, but the new liquidity was transferred into the LendingPool instead.
Impact
If there isn't enough liquidity for a borrow, the intended function to pull more liquidity will not work and users will still be unable to borrow.
Tools Used
Manual Review
Recommendations
Withdraw the vault tokens into the reserveRTokenAddress instead of the LendingPool.
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.