Rebalancing in the LendingPool will fail to withdraw assets due to wrong owner passed
Summary
If the desiredBuffer of liquidity in the protocol is not met, assets are to be withdrawn from the Curve Vault. But due to the wrong shares owner passed, the function will revert and fail.
Vulnerability Details
When users deposit/withdraw from the LendingPool, _rebalanceLiquidity() is called at the end of the function flow to check if the desiredBuffer is met, and if not, withdraw liquidity from the Curve Vault:
But if we look at _withdrawFromVault(), we will see it passes msg.sender as the shares owner:
This is incorrect, since the LendingPool contract is the one which deposits them into the Curve Vault (in case the assets deposited in the protocol are in excess of the desired buffer), and is their owner.
Impact
Withdrawing assets from the Curve Vault to meet the desired buffer will just not work. This is quite problematic since it can and will revert when users attempt to withdraw their assets, and I believe users not being able to withdraw warrants High severity.
Tools Used
Manual Review
Recommendations
Pass address(this) as the shares owner when withdrawing from the Curve Vault.
Lead Judging Commences
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.