Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Asset deposits in excess of `desiredBuffer` will revert for users

OpaBatyo

Summary

There is a desired buffer of assets in the LendingPool, and if deposits exceed it, the excess liquidity is to be deposited into the Curve Vault. Unfortunately, the deposit will fail since the assets are transferred to the reserveRTokenAddress when deposited, but the _depositIntoVault() function attempts to transfer them from the lending pool, which actually won't hold any assets.

Vulnerability Details

At the end of deposits flow, _rebalanceLiquidity() is called, and if assets in excess of the desiredBuffer are accumulated, they are to be deposited into the Curve Vault:

function _rebalanceLiquidity() internal {
...
uint256 totalDeposits = reserve.totalLiquidity; // Total liquidity in the system
uint256 desiredBuffer = totalDeposits.percentMul(liquidityBufferRatio);
uint256 currentBuffer = IERC20(reserve.reserveAssetAddress).balanceOf(reserve.reserveRTokenAddress);
if (currentBuffer > desiredBuffer) {
uint256 excess = currentBuffer - desiredBuffer;
// Deposit excess into the Curve vault
_depositIntoVault(excess);
}
...
}

As seen from the function, the check for total deposits is made on the reserve since that's where assets are transferred when users deposit. But if we look at _depositIntoVault() we will see that it attempts to deposit the excess from the LendingPool and not the reserveRTokenAddress:

function _depositIntoVault(uint256 amount) internal {
IERC20(reserve.reserveAssetAddress).approve(address(curveVault), amount);
curveVault.deposit(amount, address(this));
totalVaultDeposits += amount;
}

This means that even if assets in excess of the desired buffer are deposited into the protocol, they will never be deposited into the Curve Vault since the LendingPool will not hold any assets to be able to transfer them. Furthermore, the whole deposit flow will just revert when the vault attempts to send the liquidity from the LendingPool and users will not be able to deposit at all.

Impact

Any deposit attempts made in excess of the desiredBuffer will fail and revert, breaking one of the most crucial protocol functions. Due to the functionality being so important, while the likelyhood is very high (deposits just need to reach buffer), I believe high severity is appropriate.

Tools Used

Manual Review

Recommendations

Implement a function in the reserve which when called deposits the excess into the vault and call that instead when excess buffer is reached.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!