Funds locked in Curve vault when updating vault address
Summary
When updating the Curve vault address via LendingPool::setCurveVault(), the protocol fails to withdraw funds from the old vault before switching to the new one, permanently locking user funds and yield in the old vault.
Vulnerability Details
The LendingPool::setCurveVault() function allows the owner to update the Curve vault address but does not handle the migration of funds from the old vault to the new one:
The protocol maintains an 80/20 split of funds between the Curve vault and the protocol's buffer. When the vault address is updated, the 80% of funds deposited in the old vault become permanently locked since:
The protocol loses the reference to the old vault address
There is no mechanism to withdraw all funds before updating the vault
Even if funds could be withdrawn, accrued yield represented by vault shares would remain locked
Proof of Concept
Protocol has 1000 USDC total liquidity
800 USDC (80%) is deposited in Curve Vault A
Owner calls
setCurveVaultto update to Curve Vault BThe 800 USDC + accrued yield is now permanently locked in Vault A
New deposits will go to Vault B, but funds in Vault A cannot be recovered
Impact
Permanent loss of user funds deposited in the old vault (80% of total liquidity)
Loss of all accrued yield in the old vault
Recommendations
Migrate the funds from the old vault to the new one, before updating the vault address.
Lead Judging Commences
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.