Core Contracts

Summary

The withdraw function attempts to address liquidity shortages by withdrawing assets from the Curve vault when the available liquidity in reserve.reserveRTokenAddress is insufficient. However, the withdrawn assets are incorrectly sent to address(this) (the lending pool contract) instead of reserve.reserveRTokenAddress, which is where the liquidity is actually needed. As a result, the reserve remains underfunded, preventing proper redemption of RTokens and leading to liquidity imbalances.

Vulnerability Details

Issue

• The contract identifies a liquidity shortfall in reserve.reserveRTokenAddress and calls _withdrawFromVault to retrieve assets from the Curve vault.

• The withdrawal function incorrectly designates address(this) as the recipient instead of reserve.reserveRTokenAddress.

• This means that the liquidity needed for fulfilling withdrawals does not reach the intended reserve, leaving it underfunded.

• Additionally, the owner parameter in the withdrawal call is set to msg.sender, whereas the Curve vault expects the tokens to be owned by address(this). This could cause authorization issues when attempting to withdraw.

Incorrect Code

• The address(this) parameter incorrectly receives the withdrawn assets, instead of directing them to the reserve.

• The msg.sender parameter is incorrectly used for ownership, but Curve vault tokens belong to address(this), which means withdrawals could fail due to authorization mismatches.

Impact

Liquidity Imbalance

• Since the withdrawn assets are not deposited into reserve.reserveRTokenAddress, the reserve remains underfunded.

• This may lead to withdrawal failures, preventing users from redeeming their RTokens for underlying assets.

Incorrect Token Flow

• The contract fails to manage liquidity correctly, causing disruptions in the intended financial mechanics.

• Users may experience unexpected failures or reverts when attempting to withdraw their funds.

Tools Used

• Manual code review and logic validation.

Recommendations

Fix the Recipient Address

• The third parameter in the withdrawal function should be reserve.reserveRTokenAddress instead of address(this), ensuring the withdrawn assets are placed where they are actually needed.

• The owner parameter should also be changed from msg.sender to address(this) to ensure proper authorization.

Corrected Code

This ensures that after the withdrawal, the liquidity is correctly allocated to the reserve, preventing potential liquidity shortages and ensuring smooth fund withdrawals for users.