Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

The function `_withdrawFromVault` will always revert in the contract `LendingPool.sol`

aestheticbhai

Summary

The function_withdrawFromVaultwill always revert due to third parameter being hardcoded to msg.senderwhen the contract is internally calling curveVault.withdraw the reason for this is - as the `msg.sender` is being passed as the parameter therefore it will be the user address that will be passed as the third parameter(the owner of the shares parameter in the vault) and not the contracts address thus leading to this function always reverting as the owner of shares inside the vault from which liquidity is being withdrawn should be the contract and not be the user who are using the protocols functionalities
this will break the protocols functionality for the function _ensureLiquidity and _rebalanceLiquiditywhenever the code hits

in `function` _ensureLiquidity
if (availableLiquidity < amount) {
uint256 requiredAmount = amount - availableLiquidity;
// Withdraw required amount from the Curve vault
_withdrawFromVault(requiredAmount);
}
and in `function` _rebalanceLiquidity
else if (currentBuffer < desiredBuffer) {
uint256 shortage = desiredBuffer - currentBuffer;
// Withdraw shortage from the Curve vault
_withdrawFromVault(shortage);
}

when these conditions hit(whenever there is low liquidity in the contract) the protocol would not be able to withdraw liquidity that it deposited in the curve vault

Vulnerability Details
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/pools/LendingPool/LendingPool.sol#L809-L810

function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));

this function which is being called internally whenever _ensureLiquidity and _rebalanceLiquidityare being called(important functions of the protocol called internally by deposit, withdraw and borrow) and the bug part here being the third parameter msg.senderwhich is hardcoded leading to the users who are calling these functions being passed as the owner of the shares leading to this function always reverting

Impact
1) Stuck funds of the protocol in the vault
2)whenever liquidity is low in the protocol all these 3 functions withdraw, deposit and borrow will revert

Tools Used
Manual review

Recommendations
Hardcode address(this) in the third parameter when withdrawing from the vault

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.