Core Contracts

Summary

The _withdrawFromVault function calls curveVault::withdraw with a maxLoss parameter of 0, which can cause the function to revert if the vault has a strategy experiencing losses. This can lock funds indefinitely until the loss is repaid or socialized, potentially causing a denial of service (DoS). Additionally, this issue extends to LendingPool::borrow and LendingPool::withdraw, both of which rely on _ensureLiquidity, which in turn calls _withdrawFromVault. If maxLoss is set to 0, these critical lending operations can also become unavailable.

Vulnerability Details

Problem description

• The function _withdrawFromVault interacts with a Curve Vault, which integrate with Yearn Vaults.

• Yearn Vaults impose a loss policy where withdrawals with a maxLoss value of 0 can be blocked if a strategy has an unrealized loss.

• The function currently calls:

• The maxLoss parameter is set to 0, meaning withdrawals will revert if any strategy has an unrealized loss.

• This can prevent both normal withdrawals and emergency withdrawals, causing a major issue for users relying on liquidity.

• Furthermore, the issue propagates to lending operations due to _ensureLiquidity, which attempts to withdraw funds from the Curve Vault when liquidity is insufficient.

Affected lending operations

• _ensureLiquidity is called in LendingPool::borrow and LendingPool::withdraw, meaning a failed vault withdrawal will result in these operations being blocked.

Steps to reproduce

1. Deposit funds into the Curve Vault.

2. The underlying Yearn strategy suffers a loss.

3. Call _withdrawFromVault, which will revert due to the maxLoss set to 0.

4. This failure propagates to LendingPool::borrow and LendingPool::withdraw, blocking user operations.

Impact

• Denial of service (DoS): Withdrawals are blocked if any strategy experiences a loss.

• Liquidity risk: Users may not be able to retrieve their funds during critical moments.

• Protocol disruption: Lending operations (borrowing and withdrawals) are also affected, reducing system resilience.

Tools Used

• Manual code review

• Reference to Yearn Vault’s loss-handling mechanisms

Reference: https://github.com/code-423n4/2023-07-tapioca-findings/issues/1456

Recommendations

Allow configurable loss threshold

1. Modify _withdrawFromVault to allow a configurable maxLoss parameter instead of hardcoding 0.

2. Introduce an admin-controlled setting for adjusting the maxLoss value dynamically.

3. Ensure that _ensureLiquidity gracefully handles vault withdrawal failures, preventing lending operations from becoming unavailable.