If there is a `SHORTAGE` in Liquidity, function `_withdrawFromVault` will always `REVERT`
Summary
When there's a shortage of liquidity in the LendingPool, it calls curveVault to cover such shortage. However, it incorrectly passes msg.sender(user) as the OWNER, which will cause the function to fail each time it's called.
Vulnerability Details
In contract LendingPool, the function _ensureLiquidity() makes sure that the LendingPool has sufficient liquidity to cover withdrawals or borrow made by the user.
In case there's a shortage in liquidity, it makes a call to curveVault via _withdrawFromVault() to cover such shortage. However, there lies an issue here i.e. SOURCE
Notice the second & third parameter in the function call, first one is the RECIPIENT and second one is the OWNER.
The owner should've been the contract itself i.e. address(this). However, as we incorrectly pass in msg.sender, this would make this function call fail every time.
Reason: When there is shortage/excess liquidity in the lendingPool, the lendingPool makes the deposits or withdrawals from the curveVault contract. Therefore, it should be the OWNER, not the user. You can track the flow for withdraw() in curveVault from here i.e. source
Impact
Users will be unable to withdraw their funds
Tools Used
Manual
Recommendations
Consider replacing msg.sender with address(this)
Lead Judging Commences
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.