Core Contracts

Summary

There are two critical issues with the way of handling the curve vault withdrawfunction. The user interacting with the lending pool is passed as a owner of the shares that have to be burnt for the withdrawal to happen which will revert and the maxLossparameter is skipped ( passing 0), not specifiyng the acceptable loss, may lead to reverts or losses.

Vulnerability Details

In LendingPool::_withdrawFromVault, the msg.sender is incorrectly passed as the owner parameter to the Curve vault's withdraw function. This is incorrect because the owner should be address(this) (the LendingPool contract) since it is the one who received the shares during deposit. (assuming the protocol handles the deposits correctly)

Additionally, the maxLoss parameter is hardcoded to 0, which means the withdrawal will revert if there is any slippage in the vault. This is problematic since Curve V3 vaults can experience slippage during withdrawals.

Impact

• All withdrawals from the Curve vault will revert since msg.sender is not the owner of the shares

• Even if the owner parameter is fixed, withdrawals may still revert due to not accepting any slippage (maxLoss = 0)

• This breaks core protocol functionality like user withdrawals and borrowing when they require pulling funds from the Curve vault

Recommendations

Fix the owner parameter and add configurable maxLoss.
In the yarn documents there are more recommendations on how to use the maxLoss parameter:
https://docs.yearn.fi/developers/v3/Integrating_v3#maxloss