Submission Details
Severity:
The protocol does not rebalance liquidity after repay and liquidate.
Summary
The protocol does not rebalance liquidity after repay and liquidate.
Vulnerability Details
LendingPool.sol#_rebalanceLiquidity() function is as follows.
function _rebalanceLiquidity() internal {
// if curve vault is not set, do nothing
if (address(curveVault) == address(0)) {
return;
}
uint256 totalDeposits = reserve.totalLiquidity; // Total liquidity in the system
uint256 desiredBuffer = totalDeposits.percentMul(liquidityBufferRatio);
uint256 currentBuffer = IERC20(reserve.reserveAssetAddress).balanceOf(reserve.reserveRTokenAddress);
if (currentBuffer > desiredBuffer) {
uint256 excess = currentBuffer - desiredBuffer;
// Deposit excess into the Curve vault
_depositIntoVault(excess);
} else if (currentBuffer < desiredBuffer) {
uint256 shortage = desiredBuffer - currentBuffer;
// Withdraw shortage from the Curve vault
_withdrawFromVault(shortage);
}
emit LiquidityRebalanced(currentBuffer, totalVaultDeposits);
}
As we can see above, upper function rebalances liquidty with curve vault.
LendingPool.sol#deposit, withdraw, borrow functions rebalance liquidity.
But LendingPool.sol#_repay(), finalizeLiquidation() functions does not rebalance liquidity.
This is wrong.
Impact
This vulnerability will cause less yield.
Tools Used
Manual review
Recommendations
We have to modify LendingPool.sol#_repay(), finalizeLiquidation() so that they rebalance liquidity at the end.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::finalizeLiquidation or repay doesn't call _rebalanceLiquidity, leaving excess funds idle instead of depositing them in Curve vault for yield
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.