Core Contracts

## Summary

In the _withdrawFromVault function, there is a critical issue where the contract fails to approve the CurveUSD token for the Curve Vault before attempting to withdraw the requested amount. The curveVault.withdraw function requires the CurveUSD token to be approved before it can burn the tokens and transfer back the requested amount. Without the proper approval, the withdrawal will fail, causing the system to malfunction.

## Vulnerability Details

• Issue:

  • The function _withdrawFromVault directly calls curveVault.withdraw without first approving the CurveUSD token for the withdrawal. The Curve Vault needs approval to handle the tokens being burned and transferred back to the system. Since the approval is not done, the transaction will fail, preventing the withdrawal.

• Affected Code:

  curveVault.withdraw(amount, address(this), msg.sender, 0, new address ```

  The contract does not approve the CurveUSD token to the `curveVault`, which is necessary for the withdrawal process. As a result, the transaction will fail when the `curveVault` tries to burn or transfer the assets.

## Impact

• Transaction Failure:

  • Without the proper approval, the withdrawal process from the Curve Vault will fail. This prevents the user from receiving the requested amount of tokens.

## Tools Used

• Manual inspection of the contract's liquidity management logic.

## Recommendations

1. Approve Tokens Before Withdrawing:

   • Ensure that the CurveUSD token is approved for the Curve Vault before the withdrawal is initiated. This can be done by calling the approve function for the required amount of tokens.

   Example fix:

   IERC20(curUSD).approve(address(curveVault), amount);

2. Ensure Approval for Token Transfer:

   • Before withdrawing from the Curve Vault, verify that the necessary approval is granted to the Curve Vault for the withdrawal operation. This ensures the system functions as intended and prevents errors during the withdrawal process.