StabilityPool Liquidation Mechanism Broken Due to Incorrect crvUSD Token Flow
Summary
The StabilityPool's liquidation mechanism is completely broken because it expects to have crvUSD tokens available for liquidations, but there is no way for the contract to receive these tokens. All crvUSD deposits are sent to the rToken contract instead of the StabilityPool.
Vulnerability Details
When users deposit crvUSD into the LendingPool, the tokens are transferred to the rToken contract:
uint256 mintedAmount = ReserveLibrary.deposit(reserve, rateData, amount, msg.sender);
However, the StabilityPool's liquidateBorrower function expects to have sufficient crvUSD available:
This mismatch means:
StabilityPool never receives crvUSD tokens
crvUSDBalance check will always revert
Liquidations cannot be executed
The entire liquidation mechanism is non-functional
Impact
Impact
The protocol's liquidation mechanism is completely broken. No liquidations can be performed & bad debt cant be cleared.
Tools Used
Manual Review
Recommendation
Modify token flow to ensure StabilityPool has access to crvUSD or fix the entire liquidation logic.
Lead Judging Commences
StabilityPool design flaw where liquidations will always fail as StabilityPool receives rTokens but LendingPool expects it to provide crvUSD
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.