Liquidations do not rebalance liquidity, missing on yield
Vulnerability Details
All protocol functions that deposit or withdraw underlying asset call _rebalanceLiqudiity(). This is so the protocol can deposit on the CRV Vault the desired % of liquidity to gain extra yield.
However the finalizeLiquidation() does alter the amount of underlying assets on the system, by adding more due to repayment of bad debt, yet it does not rebalance the liquidity. It moves assets in the underlying token asset here.
Impact
Liquidations won't and should deposit funds in the CRV Vault if needed, missing on extra yield until someone else executes a rebalancing action.
Recommendations
Add _rebalanceLiquditiy() at the end of LendingPool::finalizeLiquidation().
Lead Judging Commences
LendingPool::finalizeLiquidation or repay doesn't call _rebalanceLiquidity, leaving excess funds idle instead of depositing them in Curve vault for yield
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.