Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

[M] Incorrect Approval in `_depositIntoVault` Function in `LendingPool`

Singularity

Summary

The _depositIntoVault function in the LendingPool contract approves the Curve vault to spend tokens from the LendingPool contract. However, the LendingPool contract does not hold any assets, as all deposits are held in the RToken contract. This causes the deposit into the Curve vault to always fail and _rebalanceFunction useless.

Vulnerability Details

The current approval in the _depositIntoVault function is:

IERC20(reserve.reserveAssetAddress).approve(address(curveVault), amount);

This line attempts to approve the Curve vault to spend tokens from the LendingPool contract, which does not hold any assets. As a result, the subsequent deposit into the Curve vault fails.

link to the issue: https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L800

Impact

This issue prevents the LendingPool contract from correctly depositing excess liquidity into the Curve vault, potentially leading to liquidity management issues within the protocol.

Tools Used

Manual code review.

Recommendations

There are two possible recommendations to address this issue:

  1. Make Deposits into the LendingPool Contract:
    Update the logic to ensure that the LendingPool contract holds the assets before approving and depositing them into the Curve vault.

  2. Relocate the Rebalance Function to the RToken Contract:
    Move the _rebalanceLiquidity function to the RToken contract, which holds the assets. This ensures that the approval and deposit operations are performed by the contract that holds the assets.

Example of relocating the rebalance function:

// In the RToken contract
function _rebalanceLiquidity() internal {
uint256 totalDeposits = totalSupply(); // Total liquidity in the system
uint256 desiredBuffer = totalDeposits.percentMul(liquidityBufferRatio);
uint256 currentBuffer = balanceOf(address(this));
if (currentBuffer > desiredBuffer) {
uint256 excess = currentBuffer - desiredBuffer;
_depositIntoVault(excess);
} else if (currentBuffer < desiredBuffer) {
uint256 shortage = desiredBuffer - currentBuffer;
_withdrawFromVault(shortage);
}
emit LiquidityRebalanced(currentBuffer, totalVaultDeposits);
}

This ensures that the assets held in the RToken contract are correctly approved and deposited into the Curve vault.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!