`LendingPool::_withdrawFromVault` would revert due to incorrect owner parameter
Summary
The LendingPool::_withdrawFromVault incorrectly calls the curveVault with owner of shares as msg.sender, which would revert a legitimate LendingPool::withdraw, LendingPool::deposit or LendingPool::borrow transaction.
Vulnerability Details
The LendingPool::_withdrawFromVault function is being used inside the LendingPool::_ensureLiquidity and LendingPool::_rebalanceLiquidity to maintain the enough liquidity in the LendingPool contract.
However, the _withdrawFromVault has a critical parameter of owner, which is currently being passed as msg.sender instead of address(this). The depositor of the crvUSD is the contract itself which can be verified inside the _depositIntoVault function:
But in the case of _withdrawFromVault:
Which implies that the user should be fulfilling the withdraw instead of the LendingPool contract.
Impact
The
LendingPool::_rebalanceLiquidityandLendingPool::_ensureLiquiditywould revert in case of deficit being withdrawn, which breaks theLendingPool::withdraw,LendingPool::depositandLendingPool::borrowfunctions, rendering the contract useless.The funds stuck cannot be withdrawn under any circumstance as the
LendingPoolcontact in itself is non-upgradable.Loss of funds for users who might coincidently have deposited
crvUSDin the vault on a individual level.
Tools Used
Manual Review
Recommendations
It is recommended to replace msg.sender with address(this) in place of the owner parameter:
Lead Judging Commences
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.