Core Contracts

Summary

Vulnerability Details

In the lending pool contract. The function _rebalanceLiquidity() is used by this contract to rebalance liquidity between the buffer and the curve vault to maintain the desired buffer ratio. This ensures that excess liquidity are deposited into the curve vault inorder to yield profit and during shortage of liquidity in the pool, funds are withdrawn from the curve vault to the pool.

Upon examination of the contract it was observed that liquidity changing functions like deposit(), withdraw() and borrow() calls on the _rebalanceLiquidity() function but this call was omitted from the repay() function which is also a key liquidity changing function. When a user repays a loan, the reserve balance increases and the liquidity buffer may grow beyond the desired ratio but in this case the excess liquidity stays idle instead of being deposited into the Curve vault until a borrow, deposit or withdrawal triggers _rebalanceLiquidity. This omission will result to a discrepancy in the giving desired buffer ratio. Although the imbalance is temporary, it still introduces inefficiencies.

Impact

The impact of this issue is the temporary inefficiencies in capital utilization it introduce to the system. That is idle liquidity remains in the buffer until another function triggers rebalancing

Tools Used

Manual review

Recommendations

This issue can be mitigated by calling _rebalanceLiquidity() inside the repay function inorder to ensure liquidity is efficiently redeployed immediately after repayment thereby avoiding these inefficiencies.