LendingPool's _depositIntoVault always fails due to token flow issue
Summary
The _depositIntoVault function in the LendingPool contract attempts to deposit tokens from LendingPool contract into the Curve vault, but this operation will fail because by design, the LendingPool contract does not hold any asset tokens.
Vulnerability Details
The issue occurs because:
All user deposits(asset Tokens) in the protocol are held by the RToken contract
The LendingPool contract never receives or holds the actual asset tokens
The approve and deposit calls will revert due to insufficient token balance in LendingPool
Impact
Failed Transactions: All vault deposit operations will revert due to insufficient token balance
Blocked Functionality: Protocol cannot utilize Curve vault for yield generation
Recommendations
-
Either Implement a function in RToken contract that performs vault deposits or
-
transfer assets from RToken contract to LendingPool first, then attempt to deposit into vault.
for example:
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.