Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

curveVault.withdraw params are incorrect causing _rebalanceLiquidity to reverted.

ChainProof

Summary

curveVault.withdraw is used 5 params but in actual impelentation of withdraw function in curveVault is used 3 params . So _rebalanceLiquidity transaction is reverted withdrawing shortage liquidity from the Curve vault in order to achieve disired liquidity on RTokenAddress.

Vulnerability Details

curveVault.withdraw used 5 params.

function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}

This is crvUSD vault withdraw implementation. it used only 3 params.

  • assets: Amount to withdraw

  • receiver: Address that receives the withdrawn assets (default: msg.sender)

  • owner: Address from which shares are burned (default: msg.sender)

@external
@nonreentrant('lock')
def withdraw(assets: uint256, receiver: address = msg.sender, owner: address = msg.sender) -> uint256:

Impact

_rebalanceLiquidity transaction is reverted meaning , deposit and withdraw transactions reverted in LendingPool.

Tools Used

Manual Review

Recommendations

Use correct implementation of curveVault withdraw function to withdraw assets.

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!