When rebalancing liquidity, reserve assets are deposited to Curve Vault from LendingPool.sol instead of from RToken contract
Summary
To support lending operations, liquidity is rebalanced in LendingPool.sol via _rebalanceLiquidity(). However, in the event there is excess reserve assets, it is being transferred from LendingPool.sol instead of from rToken address.
Vulnerability Details
In _rebalanceLiquidity(), the current buffer is defined as the balance of reserve assets(crvUSD) in rToken contract:
Let's assume the if statement executes whereby there is excess crvUSD in rToken contract. depositIntoVault()is now called.
LendingPool.sol (address(this)) deposits the excess crvUSD to the vault, instead of rToken depositing the excess to the vault.
LOC
[_depositIntoVault](https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L799-L803)
Impact
Misallocation of liquidity can severely affect lending and borrowing operations, breaking the core functionality of the protocol.
Tools Used
Manual
Recommendations
In _depositIntoVault(), change the depositor address from address(this) to reserve.reserveAssetAddress
Lead Judging Commences
LendingPool::_rebalanceLiquidity emits an event with stale buffer
Invalidated by appeal in 1090
LendingPool::_rebalanceLiquidity emits an event with stale buffer
Invalidated by appeal in 1090
Appeal created
LendingPool::_rebalanceLiquidity emits an event with stale buffer
Invalidated by appeal in 1090
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.