Incorrect Vault Share Accounting Leads to Inaccurate Liquidity Management
Summary
The LendingPool.sol contract incorrectly tracks deposits in the Curve crvUSD vault by recording the deposited crvUSD amount rather than the received vault shares. Since vault shares appreciate in value as the vault generates yield, this creates a growing discrepancy between the tracked and actual value of vault deposits, leading to potential issues with liquidity management and withdrawal handling.
Vulnerability Details
The LendingPool.sol implements a liquidity management system where excess crvUSD is deposited into a Curve vault, tracked through the totalVaultDeposits variable. However, when interacting with the vault, the contract fails to account for the share-based mechanics of vault tokens:
The vault converts deposits to shares using this formula:
shares = assets * (total_supply / total_assets)
As the vault generates yield, total_assets increases while total_supply remains constant, meaning each share becomes worth more crvUSD over time. The contract's tracking of crvUSD amounts rather than shares fails to account for this appreciation.
This issue is particularly evident in the withdrawal function:
When withdrawing, the contract deducts the crvUSD amount from totalVaultDeposits, but this amount no longer accurately represents the shares being consumed due to yield appreciation.
Additionally, Protocol accounting and financial reporting will be inaccurate and this will lead to issues; the extra generated yield should be redistributed into the protocol to various different categories (RToken, governance, team etc) but the shares are never recorded virtually.
Impact
High:
The liquidity buffer ratio becomes inaccurate over time as the true value of vault deposits grows higher than tracked
Rebalancing operations may make incorrect decisions based on understated vault value
The contract might fail to maintain adequate liquidity buffers, potentially leading to failed withdrawals
Protocol accounting and financial reporting inaccuracies.
Likelihood
Medium - The issue manifests gradually as yield accrues in the vault and the impact depends on yield rates and deposit duration. The problem compounds over time, becoming more severe as the vault generates returns.
Recommendations
Use a virtual balance to track shares. Many subsequent changes need to take place for system accounting but this is imperative since the protocol is integrating heavily with crvUSD vaults and seemlessly depositing and withdrawing from it.
Lead Judging Commences
LendingPool::totalVaultDeposits can underflow when withdrawing yield-inclusive amounts and vault yield isn't factored into interest rate calculations
LendingPool earns yield from Curve Vault deposits but lacks systematic distribution mechanism, leading to protocol-owned value with unclear extraction path
LendingPool::totalVaultDeposits can underflow when withdrawing yield-inclusive amounts and vault yield isn't factored into interest rate calculations
LendingPool earns yield from Curve Vault deposits but lacks systematic distribution mechanism, leading to protocol-owned value with unclear extraction path
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.