Core Contracts

Summary

The _withdrawFromVault function in the LendingPool contract has a hardcoded slippage tolerance of 0 when calling the Curve Vault's withdraw function. This strict slippage setting results in the function reverting for even the smallest price fluctuations, making withdrawals unreliable and increasing the likelihood of transaction failures.

Vulnerability Details

The implementation of the function in the LendingPool contract is as follows:

Issue:

• The maxLoss parameter is hardcoded to 0, which means any slippage, even minimal, will cause the function to revert.

• In real-world DeFi scenarios, liquidity pools are subject to small price changes due to market movements, rounding errors, or minor fluctuations in asset values.

• This rigid condition makes the withdrawal function highly unreliable, as it fails most of the time unless perfect conditions are met.

Impact

1. Frequent Transaction Failures – Since even slight slippage results in a revert, users will face repeated failed withdrawal attempts, leading to a frustrating and inefficient experience.

Recommendations

1. Allow a Reasonable Slippage Tolerance

   Rather than hardcoding maxLoss = 0, introduce a configurable parameter to allow for a small, acceptable slippage range. For example:

   function _withdrawFromVault(uint256 amount, uint256 maxSlippage) internal {

   curveVault.withdraw(amount, address(this), msg.sender, maxSlippage, new address);

   }

   • This change would give users the flexibility to define a reasonable slippage tolerance, reducing the likelihood of failed transactions and improving the reliability of the withdrawal process.