Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Function Parameter Usage for Curve Vault Withdrawal in LendingPool Contract

xcrypt

Summary

The _withdrawFromVault function in the LendingPool contract incorrectly assumes that the Curve Vault's withdrawal function follows a specific interface. However, the parameters passed in the LendingPool contract do not match the actual Curve Vault function signature. This can lead to transaction failures or unexpected behavior as extra parameters are being passed.

Vulnerability Details

The LendingPool contract assumes the Curve Vault withdrawal function has the following signature:

function withdraw(

uint256 assets,

address receiver,

address owner,

uint256 maxLoss,

address[] calldata strategies

) external returns (uint256 shares);

However, the actual Curve Vault contract defines the withdrawal function as:

def withdraw(assets: uint256, receiver: address = msg.sender, owner: address = msg.sender) -> uint256:

Key Differences:

Extra Parameters in LendingPool: The LendingPool function passes maxLoss and strategies, but the real Curve Vault function does not accept these parameters.
Incorrect Parameter Order: LendingPool expects assets, receiver, owner, maxLoss, strategies, while Curve Vault only expects assets, receiver, owner. This can lead to unintended function execution or outright transaction failures.

Impact

Transaction Failure Due to Parameter Mismatch – The function call will revert, blocking liquidity withdrawals.
Unexpected Behavior if Parameters Are Ignored – Withdrawals may appear successful but behave incorrectly.

Recommendations

1. Correct the Function Signature to Match the Curve Vault Interface

function _withdrawFromVault(uint256 amount) internal {

curveVault.withdraw(amount, address(this), msg.sender);

totalVaultDeposits -= amount;

}

Removed extra parameters (maxLoss, strategies) to match the real Curve Vault function.
Ensures compatibility with Curve Vault's withdrawal function, preventing transaction failures.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.