Incorrect Share Ownership in LendingPool::_withdrawFromVault May Cause Failed Withdrawals
Summary
The _withdrawFromVault function in LendingPool incorrectly uses msg.sender as the share owner when calling curveVault.withdraw(...). Since the contract itself owns the shares, this can result in failed withdrawals due to an ownership mismatch.
Vulnerability Details
Currently, the function executes:
Here, msg.sender is used as the share owner, but the contract (address(this)) holds the shares, not the external caller. This may lead to the following issues:
The withdrawal will fail if the Curve vault requires the correct ownership to authorize the transaction.
The contract (
LendingPool) should be the share owner, notmsg.sender.
Impact
Withdrawals may fail due to incorrect share ownership, preventing liquidity withdrawal from the Curve vault.
Tools Used
Manual code review
Recommendations
Correct the ownership reference to address(this) to ensure successful withdrawals:
Lead Judging Commences
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.