ensureLiquidity does not inclued accrued interests
Overview
In the contract when a user wants to withdraw there is a call that makes sure we have enough liquidity before the withdraw is completed
However, when a user deposits they also earn some interests that ought to be withdraw when the user wants to withdraw.
If a user deposits x amount and by the time they want to withdraw they have earned some interests they should be able to withdraw x + (interest)
However this function only checks that the amount user puts is available and does not consider the additional interests that the user could have earned
POC
-
A user deposits 100 tokens.
-
Over time, they earn 5 more tokens in interest.
-
Their total withdrawable balance is now 105 USDC.
-
_ensureLiquidity only verifies if 100 tokens is available but does not consider interest earnings.
-
If only 100 is available, the function triggers a vault withdrawal but does not account for the extra 5 tokens owed to the user.
If the contract assumes only the principal amount should be available, users may be unable to withdraw their full balance.
The system may miscalculate available funds, leading to unexpected liquidity shortages.
Impact
liquidity could not be enough
Recommendation
Modify the _ensureLiquidity function to account for both principal and accrued interest.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.