Core Contracts

Summary

The _withdrawFromVault function in the LendingPool contract sets the slippage tolerance to 0 when calling the Curve Vault's withdraw function. This strict setting causes the function to revert even with the slightest price fluctuation, making withdrawals highly unreliable and increasing the risk of transaction failures.

Vulnerability Details

The function in LendingPool is implemented as follows:

Issue:

• The maxLoss parameter is hardcoded to 0, which means that any slippage, even minimal, will cause the function to revert.

• In real-world DeFi scenarios, liquidity pools often experience small price variations due to market movements, rounding errors, or minor fluctuations in asset values.

• This strict condition makes the withdrawal function highly unreliable, as it will fail most of the time unless perfect conditions exist.

Impact

1. Frequent Transaction Failures – Since even the slightest slippage causes reverts, users will face repeated failed withdrawals, leading to frustration and inefficiency.

2. Higher Gas Costs – waste gas fees on failed transactions when trying to withdraw from the Curve Vault.

3. Liquidity Risks – If funds cannot be withdrawn due to constant reverts, protocol liquidity could be locked, impacting operations that rely on these funds.

Recommendations

1. Allow a Reasonable Slippage Tolerance

   • Instead of setting maxLoss = 0, introduce a configurable parameter that allows a small, acceptable slippage range. Example:

   function _withdrawFromVault(uint256 amount, uint256 maxSlippage) internal {

   curveVault.withdraw(amount, address(this), msg.sender, maxSlippage, new address )

   ​