Core Contracts

Summary

The _withdrawFromVault function in the LendingPool.sol contract is for withdrawing tokens from the CrvUsdVault if there is a shortage but it passes in the wrong or incorrect params which will lead to unintended and unexpected behaviour.

Vulnerability Details

In the end of the every core function of the LendingPool.sol like deposit and borrow there is an internal function that is called i.e _rebalanceLiquidity. What this function does is that takes the desriedBuffer and currentBuffer and compares them to check if their are excess/extra tokens or if their is a shortage of tokens, now when the desired > current that means that there is shortage and then the _withdrawFromVault is called to withdraw the required tokens from the Crv Vault. Inside the function CrvVault's withdraw is called. The crv vault's withdraw function's natpsec can be seen [here](https://github.com/curvefi/scrvusd/blob/95a120847c7a2901cea5256ba081494e18ea5315/contracts/yearn/VaultV3.vy#L1839) as can be seen that in the owner param the address which should be passed is that of whose shares are supposed to burnt. But the issue here is that in the _withdrawFromVault the funds are withdrawned and they are coming in the LendingPool contract but in the owner param the address of msg.sender is being passed meaning that the funds will come into the Lending contract but the caller's/user's shares will be burnt(This can be the caller of either of the functions mentioned above i.e deposit , borrow) Clearly this is wrong and should not be the intended behaviour.

```

Impact

The transaction might revert or also can lead to user's loss of funds due to incorrect address being passes in the withdraw 's owner param

Tools Used

Manual Review

Recommendations

Instead of burning the shares of or from the user i.e msg.sender, pass in address(this) in the below param too like it has been in passed in the receiver param.