`_depositIntoVault()` function always reverts due to missing asset transfer
Summary
The incorrect assumption about asset location in _depositIntoVault() will cause transaction reverts for all protocol operations as assets are held by RToken contract instead of LendingPool
Root Cause
In LendingPool.sol the _depositIntoVault() function attempts to transfer assets directly from LendingPool, but assets are actually held by the RToken contract as shown in ReserveLibrary.sol.
Internal pre-conditions
Any function that calls
_rebalanceLiquidity()needs to be executed (deposit, withdraw, borrow)Assets need to be transferred to
reserve.reserveRTokenAddressduring deposit
Impact
The protocol operations will be completely blocked as core functions like deposit, withdraw, and borrow will revert due to failed vault deposits. This effectively makes the protocol unusable.
Proof of Concept
The issue occurs because:
During deposit, assets are transferred to
reserve.reserveRTokenAddress(ReserveLibrary.sol)When
_depositIntoVault()is called, it tries to transfer assets from LendingPoolSince LendingPool doesn't hold the assets, the transfer fails and reverts
Mitigation
Add asset transfer from RToken before vault deposit:
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.