Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

**Incorrect Recipient for Curve Vault Withdrawal in** **`withdraw`** **Function**

recur

## Summary

In the withdraw function, when the available liquidity in the reserve.reserveRTokenAddress is insufficient, liquidity is withdrawn from the Curve vault to cover the deficit. However, the withdrawal from the Curve vault is incorrectly sent to address(this) (the lending pool), while it should be sent to reserve.reserveRTokenAddress.so that that after burning the user's RTokens, the contract has enough liquidity in reserve.reserveRTokenAddress to send the corresponding amount of reserve assets to the user.

## Vulnerability Details

  • Issue:

    • When there is insufficient liquidity in the reserve.reserveRTokenAddress, the contract attempts to withdraw liquidity from the Curve vault.

    • The withdrawal function (_withdrawFromVault) incorrectly passes address(this) as the recipient instead of sending the tokens back to reserve.reserveRTokenAddress. This causes the contract’s reserve.reserveRTokenAddress to still have inadequate liquidity, even after withdrawing tokens from the Curve vault.

    • and change the owner parameters to address(this) instead of msg.sender, because curve tokens are held by address(this) not caller.

    • The correct recipient for the withdrawal should be the reserve contract (reserve.reserveRTokenAddress), ensuring that after the withdrawal, there is enough liquidity in the reserve to handle the user's RToken burn and subsequent transfer of tokens.

  • Incorrect Code:

    curveVault.withdraw(amount, address(this), msg.sender, 0, new address ```
    In this code, `address(this)` (the contract) is incorrectly used as the recipient of the liquidity withdrawn from the Curve vault.

## Impact

  • Liquidity Imbalance:

    • After a withdrawal, the reserve.reserveRTokenAddress will have insufficient liquidity to handle future requests. This may prevent users from withdrawing their full amount of reserve assets in the future, causing liquidity issues in the contract.

  • Incorrect Token Transfers:

    • Users may receive tokens directly instead of having the contract manage the liquidity flow properly. This violates the intended logic of handling the liquidity and tokens within the system.

## Tools Used

  • Manual inspection of contract logic.

## Recommendations

  1. Fix the Recipient of the Curve Vault Withdrawal:

    • Change the third parameter of the curveVault.withdraw function to reserve.reserveRTokenAddress. This ensures that after the withdrawal from the Curve vault, the tokens are sent to the appropriate reserve address, where the liquidity is properly managed.

    Corrected code:

    curveVault.withdraw(amount, reserve.reserveRTokenAddress, address(this), 0, new address ```
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.