Core Contracts

Summary

The _rebalanceLiquidity function is designed to rebalance liquidity between the lending pool and the Curve vault. However, the function incorrectly assumes that the lending pool holds the reserve assets (reserve.reserveAssetAddress) when depositing into Curve vault. This assumption is incorrect because the reserve assets are held in the reserveRTokenAddress contract, not the lending pool. As a result, the _depositIntoVault and _withdrawFromVault functions will fail due to insufficient balance in the lending pool.

Vulnerability Details

The issue arises in the _rebalanceLiquidity function, which attempts to deposit or withdraw reserve assets (reserve.reserveAssetAddress) into/from the Curve vault. The function assumes that the lending pool holds the reserve assets, but in reality, the assets are held in the reserveRTokenAddress contract.

The _depositIntoVault function approves and transfers assets from the lending pool (address(this)), but the lending pool does not hold the reserve assets. When _depositIntoVault is called, deposit operations will fail because the lending pool does not have the required reserve assets.

Impact

deposit, withdraw and borrow will fail when rebalancing and trying to deposit to curve vault

Tools Used

Manual

Recommendations

• Transfer the required amount of reserve assets from reserveRTokenAddress to the lending pool before depositing into the Curve vault.

  function _depositIntoVault(uint256 amount) internal {

  // Transfer assets from reserveRTokenAddress to the lending pool

  IERC20(reserve.reserveAssetAddress).safeTransferFrom(

  reserve.reserveRTokenAddress, // from

  address(this), // to (lending pool)

  amount // amount

  );

  ​

  // Approve and deposit into the Curve vault

  IERC20(reserve.reserveAssetAddress).approve(address(curveVault), amount);

  curveVault.deposit(amount, address(this));

  totalVaultDeposits += amount;

  }