Entire LendingPool is broken once CurveVault is set
Summary
All functions like withdraw/deposit/borrow in the lending pool call the rebalanceLiquidity function. This inturn calls the _depositIntoVault function which tries to approve the curveVault and then transfer the funds to the curveVault. The issue is that the lendingPool does not hold any funds and this will cause the curveVault.deposit to revert every time. Thus essentially breaking the entire LendingPool.
Vulnerability Details
When a deposit happens the funds are transferred to the reserveRtokenAddress and not to the lending pool from the user. Thus the lendingPool doesnt hold any user funds. But the depositIntoVault function assumes that the LendingPool has the user funds and tries to deposit these funds to the curveVault. This will cause the curveVault.deposit() to revert. Thus DOS'ing the entire LendingPool contract. it can be noted that once the curveVault is set it cant be set back to address(0) thus this will be a permanent DOS of the lendingPool contract.
Impact
LendingPool contract wont work.
Tools Used
manual Review
Recommendations
Update the _depositIntoVault function as follows:
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.