Incorrect Recipient in Curve Vault Withdrawals
Summary
The _withdrawFromVault function in the LendingPool contract incorrectly sets the recipient as address(this) (LendingPool) instead of reserve.reserveRTokenAddress (RToken contract) when withdrawing from the Curve vault. This misalignment breaks the protocol's asset flow since RToken is meant to be the holder of the reserve assets.
Vulnerability Details
The issue occurs because:
Protocol design requires reserve assets to be held by RToken contract
Current implementation sends assets to LendingPool instead
This breaks the expected asset flow and accounting
Impact
Assets are sent to wrong contract address
Breaks protocol's asset management flow
Could lead to accounting errors
May affect user withdrawals and protocol operations
Tools Used
Recommendations
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.