Failure to Withdraw Liquidity to RToken.sol Before Changing Curve Vault Address
Summary
A vulnerability exists in the setCurveVault() function of the LendingPool contract. When switching the Curve crvUSD vault to a new address, the function fails to withdraw the remaining reserve tokens from the old vault and transfer them to RToken.sol. As a result, any liquidity left in the old vault becomes inaccessible to the protocol, leading to capital inefficiency and potential loss of user-accessible liquidity.
Vulnerability Details
The setCurveVault() function updates the address of the Curve crvUSD vault without handling the reserve tokens already deposited in the old vault:
This function does not withdraw any remaining reserve tokens from the old vault before updating the vault address. Once the vault is switched, the protocol can no longer access these funds, as evidenced below where curveVault is now a new vault address.
As a matter of fact, the following function serving as the only way of getting back some reserve assets from the vault is meant to be internally invoked by either _ensureLiquidity() for its requiredAmount or _rebalanceLiquidity() for its shortage as far as the inputted amount is concerned. :
There isn't a way where the protocol may manually pre-withdraw the reserve assets balance from the old vault prior to setting a new vault address. Neither is there a way to manually post-withdraw the reserve assets balance following the change of a new vault. This oversight leads to stranded liquidity and loss of user-accessible funds unless a full recovery process has been factored into the setter function.
Impact
-
Stranded Reserve Tokens:
Liquidity left in the old vault is no longer usable for withdrawals, borrowing, or yield generation. -
User Withdrawal Failures:
Since RToken.sol relies on sufficient reserve tokens to fulfill withdrawal requests, stranded liquidity could cause partial or failed withdrawals. -
Protocol Yield Reduction:
With a portion of the capital stuck in the old vault, the protocol’s ability to reinvest and generate yield is diminished, affecting long-term performance. -
Protocol Vulnerability to Shortages:
In scenarios of high withdrawal demand, stranded funds may force the protocol to sell or borrow liquidity from external sources under unfavorable conditions.
Tools Used
Manual
Recommendations
Consider the following refactoring:
Lead Judging Commences
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.