Insufficient Liquidity Checks done when vault is not configured
Summary
While calling borrow and withdraw functions both of the function calls for _ensureLiquidity(amount); before proceeding for further operations.
Vulnerability Details
The root cause lies in `_ensureLiquidity` function .
`_ensureLiquidity` is used to check that if Liquidity is available for withdrawing and borrowing operation but in the implementation of `_ensureLiquidity` function. It doesn't handles the scenario where vault is not set. in this case it just returns.
which will make the borrow and withdrawfunctions to assume that liquidity is available and procees with further operations.
For example, suppose:
The protocol has 1,000 tokens in reserve.
A user requests a withdrawal of 1,200 tokens.
If the vault is not set, the check might bypass or miscalculate the available liquidity, leading to a failed transaction or an overdrawn state.
Impact
If a user is allowed to withdraw more than the available liquidity, the transaction could fail or, in some cases, deplete liquidity unexpectedly. This miscalculation can lead to failed transactions, reduced confidence in the protocol, and potential liquidity crises.
Recommendations
Rather than returning on when vault not set replace it with revert :
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.