Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Setting a new curve vault does not withdraw crvUSD from the old vault

tejaswarambhe

Summary

Setting a new curve crvUSD vault via LendingPool::setCurveVault fails to withdraw crvUSD from the old vault.

Vulnerability Details

The LendingPool::setCurveVault function is used by admin / owner in order to update the old curve vault to a new one.

function setCurveVault(address newVault) external onlyOwner {
require(newVault != address(0), "Invalid vault address");
address oldVault = address(curveVault);
curveVault = ICurveCrvUSDVault(newVault);
emit CurveVaultUpdated(oldVault, newVault);
}

The curve vault is being used by the LendingPool contract to store excess amount of crvUSD ( > desired buffer ).
However, when such a change is taking place, the function fails to withdraw the crvUSD held in the vault by the LendingPool contract before changing to a new vault.

Impact

  1. Loss of funds as the LendingPool contract is not upgradable, hence, no way to retrieve those stuck crvUSD tokens.

Tools Used

Manual Review

Recommendations

It is recommended to check and withdraw the crvUSD held in the current vault before the function finishes replacing with the new curve vault.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.