Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Owner Parameter during Curve Vault Withdrawals Leading to a DOS

otor

Summary

The _withdrawFromVault function in the LendingPool contract incorrectly uses msg.sender as the owner parameter when calling Curve vault's withdraw function. Since the shares are owned by the LendingPool contract (address(this)), using msg.sender as the owner will cause the withdrawal to fail.

Vulnerability Details

// Current implementation - Incorrect
function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}

The issue occurs because:

  1. During deposit, shares are minted to address(this) (LendingPool)

    function _depositIntoVault(uint256 amount) internal {
    IERC20(reserve.reserveAssetAddress).approve(address(curveVault), amount);
    curveVault.deposit(amount, address(this)); // shares are minted into the lending vault
    totalVaultDeposits += amount;
    }

    And as declared in the interface:

    /**
    * @notice Deposits assets into the vault
    * @param assets Amount of assets to deposit
    * @param receiver Address to receive the shares
    * @return shares Amount of shares minted
    */
    function deposit(uint256 assets, address receiver) external returns (uint256 shares);

  2. During withdrawal, msg.sender is incorrectly used as the owner parameter

    As declared in the interface, the owner is the Owner of the shares:

    /**
    * @notice Withdraws assets from the vault
    * @param assets Amount of assets to withdraw
    * @param receiver Address to receive the assets
    * @param owner Owner of the shares
    * @param maxLoss Maximum acceptable loss in basis points
    * @param strategies Optional specific strategies to withdraw from
    * @return shares Amount of shares burned
    */
    function withdraw(
    uint256 assets,
    address receiver,
    address owner,
    uint256 maxLoss,
    address[] calldata strategies
    ) external returns (uint256 shares);

  3. Curve vault checks ownership of shares against the owner parameter

  4. Since msg.sender doesn't own the shares, the withdrawal fails

Impact

  1. All withdrawals from Curve vault will fail

  2. Protocol cannot access deposited assets

  3. User withdrawals and borrowing operations may be blocked

  4. Could lead to locked funds in Curve vault

Tools Used

Manual

Recommendations

function _withdrawFromVault(uint256 amount) internal {
// Use address(this) as owner since LendingPool owns the shares
curveVault.withdraw(
amount,
address(this), // receiver
address(this), // owner - LendingPool owns the shares
0, // maxLoss
new address[](0) // strategies
);
totalVaultDeposits -= amount;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!