Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Shares not tracked can cause loss of funds/ DOS for protocol

anonymousjoe

Summary

The curveVault returns a shares value when users deposit. This shares is not stored by the lendingPool. And further when withdrawing it tries to withdraw the same exact amount from the curveVault. This could cause

  1. revert if the funds have faced a loss in the curveVault

  2. excess funds stuck in the curveVault forever unclaimable

Vulnerability Details

The curveVault.deposit() function returns the number of shares minted to the lendingPool. This value is not tracked but is essential for correct withdrawal. There are 2 possible scenarios in which this is applicable
1. The amount in the curve vault increases (a profit is made)

In this scenario since the withdrawal always attempts to withdraw the exact same amount as deposited, the protocol would face a loss of unrealised profits. This in itself makes no sense as the whole point of using the vault is to gain some interest on the amount deposited.

2.The amount in the curve vault decreases (a loss is made)
In this scenario since the withdrawal again attempts to withdraw the same amount with maxLoss set as 0, the withdraw will revert and all withdraw operations in the LendingPool will revert and fail.

function _depositIntoVault(uint256 amount) internal {
IERC20(reserve.reserveAssetAddress).approve(address(curveVault), amount);
curveVault.deposit(amount, address(this));
totalVaultDeposits += amount;
}
function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}

Impact

Loss of profit/ DOS of withdraw/borrow etc functions in the lendingPool.

Tools Used

manual review

Recommendations

track the shares and use the curveVault.redeem function to withdraw from the curveVault.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool earns yield from Curve Vault deposits but lacks systematic distribution mechanism, leading to protocol-owned value with unclear extraction path

LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool earns yield from Curve Vault deposits but lacks systematic distribution mechanism, leading to protocol-owned value with unclear extraction path

LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals

Appeal created

anonymousjoe Submitter
7 months ago
inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool earns yield from Curve Vault deposits but lacks systematic distribution mechanism, leading to protocol-owned value with unclear extraction path

LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!