Zero Max Loss in `LendingPool::_withdrawFromVault` Can Cause Unnecessary Transaction Reverts
Summary
The _withdrawFromVault function in LendingPool calls curveVault.withdraw(...) with maxLoss set to 0. This strict requirement can cause transactions to revert due to minimal price fluctuations, even when the losses are insignificant. This could lead to unnecessary failures and prevent withdrawals under normal market conditions.
Vulnerability Details
The `maxLoss` parameter is hardcoded to `0`, meaning that even the slightest fluctuation in asset value or rounding discrepancies in the Curve vault can cause a transaction failure.
Key issues:
Even small, acceptable losses (e.g., a few basis points) can cause reverts, making withdrawals unreliable.
The function does not provide flexibility to set a reasonable tolerance for minimal discrepancies.
Impact
Withdrawals may fail unnecessarily, frustrating users and causing inefficiencies.
Tools Used
Manual review
Recommendations
Modify `_withdrawFromVault` to accept a small `maxLoss` threshold to prevent unnecessary reverts due to minor fluctuations:
Lead Judging Commences
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.