Lack of Slippage Control in `LendingPool::_withdrawFromVault` Vault Withdrawal Mechanism Leading to Liquidity Mismatches
Summary
The LendingPool contract integrates with a Curve crvUSD Vault to manage excess liquidity. However, during withdrawal operations, the contract fails to implement proper slippage controls—specifically, it does not set an acceptable max_loss parameter. As a result, if the vault returns less than the expected amount due to slippage or strategy losses, the reserve liquidity becomes insufficient to cover user withdrawals. This discrepancy can cause withdrawal transactions to revert and potentially lock user funds.
Vulnerability Details
The core of the issue lies in the implementation of the _withdrawFromVault function. The contract calls the vault's withdraw function with a max_loss parameter set to 0, expecting an exact match between the requested withdrawal amount and the amount returned by the vault:
The intention in the vault integration (as shown in the implementation from Curve) is that any loss incurred during withdrawal is either negligible or should trigger a revert if it exceeds a tolerable threshold. However, by not setting a dynamic slippage control or tolerance, any minor deviation—even one that is economically acceptable—will result in a discrepancy between the requested and actual withdrawn amounts.
The _ensureLiquidity function relies on withdrawing a precise amount of tokens to maintain sufficient liquidity for user withdrawals. If the vault returns a lesser amount than requested due to slippage, the contract’s logic fails to provide the required funds, and the withdrawal transaction will revert. This creates a scenario where users may be permanently unable to withdraw their tokens, effectively locking funds within the contract.
Impact
Users may be unable to withdraw their tokens if even a minor slippage occurs during the vault withdrawal process.
Tools Used
Manual Review
Recommendation
Implement strict slippage controls during the withdrawal process. Specifically, adjust the _withdrawFromVault function to include a dynamic or predefined non-zero max_loss parameter that reflects an acceptable level of slippage. Additionally, if the actual withdrawn amount is less than the requested amount due to slippage, the transaction should revert to ensure that user funds are not partially disbursed, preserving the integrity of the liquidity guarantee.
Lead Judging Commences
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.