Summary

In the LendingPool contract, the function _depositIntoVault incorrectly takes reserve assets from the LendingPool contract itself, instead of the RToken’s reserve asset balance. Similarly, _withdrawFromVault attempts to pull funds into the wrong contract.

This misallocation results in frequent transaction failures, as the LendingPool contract does not hold sufficient reserves to complete vault deposits.

Vulnerability Details

• Incorrect Fund Source in _depositIntoVault

  • This function is supposed to deposit reserve assets from the RToken’s balance into a Curve vault.

  • However, it incorrectly pulls funds from the LendingPool contract instead.

  • Since the LendingPool does not hold these assets, deposits will fail due to insufficient balance.

• Incorrect Fund Destination in _withdrawFromVault

  • When liquidity is low, _rebalanceLiquidity triggers _withdrawFromVault.

  • Instead of sending assets to the RToken, the function sends them to the LendingPool, breaking balance tracking.

  • This results in mismanaged liquidity and failed withdrawals.

• Effect on Main Functions

  • Since _depositIntoVault and _withdrawFromVault are used in core liquidity management (deposit, withdraw and borrow), these functions will frequently revert due to incorrect balances.

Impact

Severity: High

Deposits into Curve Vault will frequently fail, as the LendingPool contract lacks the necessary balance. Liquidity management is broken, leading to failed transactions in key protocol functions.

Tools used

Manual code review

Recommendations

1. Correct the fund source in _depositIntoVault

   • Instead of pulling funds from LendingPool, pull from the RToken’s reserve balance:

   solidity

   ​

   IERC20(reserveAsset).transferFrom(address(rToken), address(vault), amount);

2. Correct the fund destination in _withdrawFromVault

   • Ensure withdrawals go back to the RToken, not the LendingPool:

   solidity

   ​

   IERC20(reserveAsset).transfer(address(rToken), amount);