Summary

The withdrawal logic contains a vulnerability that allows a user to attempt withdrawing an amount significantly larger than their actual balance. The protocol will withdraw the excess amount from the vault, but only the user's actual balance in rTokens will be burned. This discrepancy can lead to liquidity issues in curveVault.

Vulnerability Details

The vulnerability arises in the withdraw logic, where the protocol checks for sufficient liquidity and withdraws the required amount from the vault if the available liquidity is insufficient.

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L249

However, the function does not validate whether the user has enough rTokens to cover the withdrawal amount before initiating the withdrawal from the vault.

In the burn function, the protocol correctly limits the amount to be burned to the user's actual balance.

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/DebtToken.sol#L202

However, this validation occurs after the withdrawal from the vault has already been initiated. As a result, a user with only 10 rTokens can attempt to withdraw 100,000 tokens. The protocol will withdraw 99,990 tokens from the vault, but only 10 rTokens will be burned.

Impact

• Liquidity Drain: An attacker could exploit this vulnerability to drain liquidity from the vault without providing the corresponding amount of rTokens.

Tools Used

• Manual code review

Recommendations

Pre-Validation of User Balance: Add a check in the withdraw function to ensure that the user has sufficient rTokens before initiating any withdrawal from the vault. This can be done by comparing the user's balance with the requested withdrawal amount.