Incorrect USDC Withdrawal Destination in _withdrawFromVault
Summary
The LendingPool::_withdrawFromVault function in the contract mistakenly sends USDC tokens to the Lending Pool instead of the intended RToken address when withdrawing from the Curve vault.
Vulnerability Details
When there is insufficient liquidity in the RToken contract, _ensureLiquidity triggers _withdrawFromVault.
_withdrawFromVaultcalls `curveVault.withdraw(amount, address(this), msg.sender, 0, new addressThe function parameters should ensure USDC is deposited into the RToken contract, but instead, it is being sent to the Lending Pool (
msg.sender).
Impact
Withdrawn USDC from the Curve vault does not go to the RToken contract but rather to the Lending Pool.
Tools Used
Manual review
Recommendations
Modify _withdrawFromVault to ensure that withdrawn USDC is sent directly to the RToken contract instead of the Lending Pool
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.