Core Contracts

Summary

When the curveVault goes into emergency shutdown, only the withdraw operations are active. The deposit functions are blocked. And thus the _depositIntoVault function will revert every time a user tries to deposit into the lendingPool.

Vulnerability Details

The root cause of this issue are 2:

1. There is no function to withdraw all the funds from the vault without users withdrawing from the LendingPool

2. There is no way to make the curveVault address back to addess(0)

   When the curveVault goes into emergency shutdown (or gets a deposit limit/withdraw limit etc) the depositfromVault function (and in some cases withdrawFromVault function) stop working. This makes the deposit function (and in some cases withdraw() function) of the lending Pool unavailable.

   function setCurveVault(address newVault) external onlyOwner {

   // new vault cant be address(0)

   require(newVault != address(0), "Invalid vault address");

   address oldVault = address(curveVault);

   curveVault = ICurveCrvUSDVault(newVault);

   emit CurveVaultUpdated(oldVault, newVault);

   }
   function _depositIntoVault(uint256 amount) internal {

   IERC20(reserve.reserveAssetAddress).approve(address(curveVault), amount);

   // the deposit function below will revert in case of an emergency shutdown of the curveVault

   curveVault.deposit(amount, address(this));

   totalVaultDeposits += amount;

   }

Impact

Dos of deposit function when emergency shutdown of curveVault occurs. Or dos of withdraw function too if withdraw limit is imposed.

Tools Used

manual review

Recommendations

add functions to withdraw from the curve vault without withdrawing from the lending Pool. Allow the curveVault address to be set to address(0)