Core Contracts

Vulnerability Details

The protocol deposits a % of the LendingPool's liquidity into a CRV Vault. This makes this liquidity accrue fees on people trading on the CRV vault.

However the LendingPool has no way of claiming this fees.

If a user needs to withdraw more than the actual balance of RToken, the exact extra necessary from CRV Vault will be withdrawn and no more. You can see it in the _ensureLiquidity() function here.

This means that, if a user withdrew all liquidity they would get the same amount they deposited even if part of it got re-located in the CRV Vault, which is fine and good.

But all fees accrued since then in the CRV Vault are lost and there will be no way of retreiving them. This is because:

• The user can't withdraw more than he deposits (this is fine).

• The LendingPool is the owner of the liquidity as it owns the shares that represent it on the CRV Vault. Yet it does not track neither allow to withdraw the extra earnings from the swap fees on the Vault. You can see that the LendingPool is the owner of the fees as per the deposit docs here and how it is called here. Also the only call to curve withdraw is here which is only triggered from user calls that control that no-one can claim more than deposited.

Impact

Lost revenue for the protocol and users.

Recommendations

Leverage the already tracked but never used totalVaultDeposits to deduce how much of the CRV Vault liquidity comes from fees earned and how much comes from user's liquidity. Then add another funciton in the LendingPool to claim the fees and distribute them to the users or treasury, whatever the protocol sees fit.