Potential Insufficient Liquidity for Curve Vault Deposit
Summary
The function LiquidityPool::_depositIntoVault attempts to deposit liquidity into the Curve vault. However, the contract may not have enough tokens from the reserveAssetAddress to deposit, as this address is stored in the Rtoken contract, not the LendingPool contract itself.
Vulnerability Details
The reserveAssetAddress is stored in the Rtoken contract, not directly in the LendingPool contract. Before depositing into the Curve vault, the LendingPool contract should ensure it has sufficient tokens from the Rtoken contract. The absence of this step could lead to failed deposits due to insufficient token balance in the LendingPool contract.
Impact
If the LendingPool contract does not receive the reserveAssetAddress tokens from the Rtoken contract, the deposit into the Curve vault will fail. If approval and transfer mechanisms are not handled properly, there could be issues with interacting with the Curve vault.
Tools Used
Manual review
Recommendations
Ensure that the LendingPool contract transfers the required reserveAssetAddress tokens from the Rtoken contract to the LendingPool contract before performing the deposit.
Add logic to verify that the LendingPool contract has sufficient balance of the reserveAssetAddress tokens before proceeding with the approval and deposit steps.
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.