Missing `_rebalanceLiquidity()` updates after state chaning actions in `LendingPool`
Summary
The LendingPool sends excess crvUSD to a Curve Vault (or withdraws missing crvUSD), to generate additional yield. After each action that moves crvUSD in or out of the LendingPool, _rebalanceLiquidity is called to either deposit or withdraw funds from the vault, with respect to a buffer value. However, no rebalancing happens when a loan is repaid, or a liquidation takes place, leading to a potential loss of yield for the protocol.
Vulnerability Details
All actions that deal with crvUSD inflow or outflow in the LendingPool, transfer funds between the pool and the curve vault generating yield. This is true for all except loan repayments and liquidations. This could lead to the pool missing out on potential yield from the vault.
Impact
Potential loss of yield from the curve vault.
Tools Used
Manual review
Recommendations
Invoke _rebalnceLiquidity after liquidations and loan repayments.
Lead Judging Commences
LendingPool::finalizeLiquidation or repay doesn't call _rebalanceLiquidity, leaving excess funds idle instead of depositing them in Curve vault for yield
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.