_withdrawFromVault function Misdirects Assets to LendingPool, Causing RToken Liquidity Crisis
Summary
Vault Assets Stranded in LendingPool Instead of RToken
_withdrawFromVaultMisdirection: functions sends assets to LendingPool instead of RToken contract.The protocol's operational design is that all asset tokens are stored in and managed by the RToken contract. During user deposits and withdrawls, crvUSD is moved in and out from RToken contract.
Vulnerability Details
During user deposits, All assetTokens(crvUSD) are stored in RToken contract.
Idea is to move assetTokens between curve-vault and RToken contract . However,
DepositIntoVault: assetTokens move from : RToken → Vault
WithdrawFromVault: assetTokens move from: Vault → LendingPool (should go to RToken instead)
withdrawFromVaultfunction is used in other functions like ensureLiquidity, rebalanceLiquidity, to manage assetTokens between curve Vault and Rtoken contract.
Impact
functions like
_ensureLiquidity,rebalanceLiquidityare no longer useful.
failed user withdrawls: If funds from vault don't go into RToken contract,eventually RToken contract will not have sufficient balance to process user withdrawls.
Stranded Liquidity: Assets accumulate in LendingPool instead of circulating back to RToken
Recommendations
Adjust the call to the following:
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.