Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

_withdrawFromVault function in LendingPool.sol will always fail

anonymousjoe

Summary

When depositing into the curveVault, the owner of the shares is set as the LendingPool.sol. But the withdrawal is done assuming that the owner is the msg.sender. This will cause the function to fail

Vulnerability Details

The curveVault mints the shares to the LendingPool upon depositing into the vault. But the _withdrawFromVault function tries to withdraw the msg.sender's shares. This will fail as the msg.sender isnt supposed to be expected to approve/ even hold the shares in the curve vault contract.

function _depositIntoVault(uint256 amount) internal {
IERC20(reserve.reserveAssetAddress).approve(address(curveVault), amount);
// the owner of the shares is address(this) = lendingPool
curveVault.deposit(amount, address(this));
totalVaultDeposits += amount;
}
function _withdrawFromVault(uint256 amount) internal {
// the share owner we are withdrawing from is msg.sender which is wrong
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}

Impact

once the curve vault is set the withdraw/borrow etc functions wont work

Tools Used

manual review

Recommendations

change the msg.sender to address(this).

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!