Core Contracts

## Summary

In the _withdrawFromVault function, when liquidity is being withdrawn from the Curve vault, the msg.sender address is incorrectly passed as the owner in the withdrawal call to vault. Since the user does not hold Curve tokens, the correct recipient should be the contract itself (address(this)). Passing msg.sender would cause the withdrawal to be revert as user don't have those tokens.

## Vulnerability Details

• Issue:

  • In the _withdrawFromVault function, when liquidity needs to be withdrawn from the Curve vault to rebalance liquidity, the address of the user (msg.sender) is passed as the owner instead of address(this) in the withdrawal call.

  • This is incorrect because users do not directly hold Curve tokens, and they should not be the owner of the withdrawal.

  • The correct owner for the withdrawal should be address(this) (i.e., the contract itself), as the contract manages the Curve vault and the user's funds.

• Incorrect Code:

  curveVault.withdraw(amount, address(this), msg.sender, 0, new address ```

  ​

  In this line, `msg.sender` is incorrectly passed as the recipient.

## Impact

• Liquidity Management Issues:

  • Since msg.sender (the user) is being used as the owner, lead to revert of function

## Tools Used

• Manual inspection of the contract logic.

## Recommendations

1. Fix the Withdrawal Address:

   • Change the third parameter of the curveVault.withdraw function to address(this) to ensure that the contract itself is teh owner.

   curveVault.withdraw(amount, address(this), address(this), 0, new address );