No rebalanceLiquidity was performed after _repay
Summary
No rebalanceLiquidity was performed after _repay.
Vulnerability Details
_rebalanceLiquidity is used to rebalance liquidity between the buffer and Curve vault to maintain the desired buffer ratio. The variables involved are uint256 currentBuffer = IERC20(reserve.reserveAssetAddress).balanceOf(reserve.reserveRTokenAddress);. That is to say, as long as reserve.reserveRTokenAddress changes, this function needs to call rebalancing. In the LendingPool.sol contract, the deposit, withdraw, and borrow functions all have _rebalanceLiquidity operations, but there is no _repay function.
Impact
After the _repay operation, if a certain asset in the pool (such as a borrowed asset) is reduced, and other assets are not adjusted in time through _rebalanceLiquidity (such as withdrawing or depositing into Curve Vault), it may cause an imbalance in the proportion of assets in the pool.
Tools Used
Manual review
Recommendations
Add _rebalanceLiquidity to the _repay function
Lead Judging Commences
LendingPool::finalizeLiquidation or repay doesn't call _rebalanceLiquidity, leaving excess funds idle instead of depositing them in Curve vault for yield
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.