Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: medium
Valid

LendingPool::setCurveVault does not transfer crvUSD from old vault to new vault

Summary

In LendingPool, users deposit crvUSD, with a buffer liquidityBufferRatio kept on the LendingPool contract, and the rest is staked in the curveVault

The issue is that there is no mechanism to transfer the liquidity held in oldCurveVault to NewCurveVault in case of an update from Curve.fi

Vulnerability Details

Calling setCurveVault will change the address of the storage curveVault but will not transfer previous funds held in oldVault to the newVault.

All accounting will be messed up and previous liquidity will be stuck in the oldVault.

Impact

Changing curveVault will mess up all the accountability of the LendingPool, and totalDeposits - liquidityBufferRatio will be stuck in the older vault. User will not be able to withdraw() their crvUSD as there will not be enough liquidity for everyone.

Tools Used

Manual

Recommendations

Remove all liquidity from the previous vault when updating the address, and then rebalance to add the liquidity back to the new vault.

function setCurveVault(address newVault) external onlyOwner {
require(newVault != address(0), "Invalid vault address");
+ _withdrawFromVault(scrvUSD.balanceOf(address(this)));
address oldVault = address(curveVault);
curveVault = ICurveCrvUSDVault(newVault);
+ _rebalanceLiquidity()
emit CurveVaultUpdated(oldVault, newVault);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.