`StabilityPool::_withdrawFromVault` withdraws tokens to the wrong destination
Summary
The _withdrawFromVault function transfers tokens to the caller lending pool instead of the reserve’s rToken address. This misdirected withdrawal destination contradicts the intended liquidity management, leading to incorrect fund distribution during liquidity rebalancing.
Vulnerability Details
The function is implemented as follows
During liquidity rebalancing, the _rebalanceLiquidity function calculates the desired buffer based on the reserve asset balance held by the rToken contract:
When a shortage is detected (i.e. the current buffer is below the desired level), the contract calls _withdrawFromVault. However, by passing address(this) as the recipient instead of the rToken contract address, tokens are incorrectly transferred to the lending pool. This undermines liquidity management, as the balance is not properly replenished.
Impact
Liquidity Mismatch: Tokens meant to replenish the
rtokenliquidity will instead go to the lending pool, potentially leaving the the rToken contract unreservedIncorrect Fund Accounting: This misdirection leads to inaccurate liquidity tracking and may disrupt further operations that depend on reserve balances.
Tools Used
Manual Code Review
Recommendations
Update the _withdrawFromVault function so that tokens are withdrawn to the reserve’s rToken address:
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.