Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

_depositIntoVault and _withdrawFromVault are depositing and withdrawing from the wrong place

octeezy

Summary

In the LendingPool contract the functions _depositIntoVault and _withdrawFromVault are executed to rebalance and ensure liquidity, the problem is that they deposit and withdraw funds from the LendingPool which is not supposed to have those funds, the liquidity is actually held by the reserveRTokenAddress.

This issue was overlooked because in the LendingPool tests the curve vault address is never set and both _ensureLiquidity and _rebalanceLiquidity have the following condition:

if (address(curveVault) == address(0)) {
return;
}

Because of this early return _depositIntoVault and _withdrawFromVault were never executed during the tests

Vulnerability Details

By modifing one of the tests in the LendingPool.test.js file we can see that the funds held by the LendingPool are zero, and thus no deposit can be made from this address:

it("should allow user to deposit crvUSD and receive rToken", async function () {
const depositAmount = ethers.parseEther("100");
await lendingPool.connect(user1).deposit(depositAmount);
await ethers.provider.send("evm_mine", []);
const rTokenBalance = await rToken.balanceOf(user1.address);
expect(rTokenBalance).to.equal(depositAmount);
const crvUSDBalance = await crvusd.balanceOf(user1.address);
expect(crvUSDBalance).to.equal(ethers.parseEther("900"));
const debtBalance = await debtToken.balanceOf(user1.address);
expect(debtBalance).to.equal(0);
const reserveBalance = await crvusd.balanceOf(rToken.target)
expect(reserveBalance).to.equal(ethers.parseEther("1100"));
// Lending Pool balance is zero
const LendingPoolBalance = await crvusd.balanceOf(lendingPool.target)
expect(LendingPoolBalance).to.equal(ethers.parseEther("0"));
});

Impact

_rebalanceLiquidity will always revert, thus borrow, deposit and withdraw will always revert.

Tools Used

Manual review + Hardhat test

Recommendations

Send the funds from reserveRTokenAddress to the LendingPool before deposit, and from the LendingPool back to the reserveRTokenAddress after withdrawal.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.