Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

curveVault.withdraw params are incorrect causing _rebalanceLiquidity to reverted.

ChainProof

Summary

curveVault.withdraw is used 5 params but in actual impelentation of withdraw function in curveVault is used 3 params . So _rebalanceLiquidity transaction is reverted withdrawing shortage liquidity from the Curve vault in order to achieve disired liquidity on RTokenAddress.

Vulnerability Details

curveVault.withdraw used 5 params.

function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}

This is crvUSD vault withdraw implementation. it used only 3 params.

  • assets: Amount to withdraw

  • receiver: Address that receives the withdrawn assets (default: msg.sender)

  • owner: Address from which shares are burned (default: msg.sender)

@external
@nonreentrant('lock')
def withdraw(assets: uint256, receiver: address = msg.sender, owner: address = msg.sender) -> uint256:

Impact

_rebalanceLiquidity transaction is reverted meaning , deposit and withdraw transactions reverted in LendingPool.

Tools Used

Manual Review

Recommendations

Use correct implementation of curveVault withdraw function to withdraw assets.

Updates

Lead Judging Commences

inallhonesty Lead Judge
8 months ago
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!