Core Contracts

Summary

The _withdrawFromVault function in the LendingPool contract interacts with the Curve Vault to withdraw liquidity. However, the Curve Vault has a built-in check that ensures the remaining assets in the vault do not fall below a predefined MIN_ASSETS threshold. If a withdrawal request would violate this condition, the transaction reverts, potentially making it impossible to withdraw funds in certain situations.

Vulnerability Details

• Issue:

  • The Curve Vault's withdraw function includes the following assertion:

    assert total_assets - assets >= MIN_ASSETS or total_assets == assets, "Need more assets"

  • This condition ensures that after a withdrawal, the vault must retain at least MIN_ASSETS unless the entire balance is being withdrawn.

  • If the _withdrawFromVault function tries to withdraw an amount that would reduce the vault balance below MIN_ASSETS, the transaction will revert.

Impact

• Frequent Withdrawal Failures – Withdrawals may fail frequently, particularly when the vault balance is low or close to the MIN_ASSETS threshold.

• Unexpected Transaction Reverts – Users attempting to withdraw liquidity may encounter unexpected reverts, creating a frustrating experience.

• Locked Funds – If no proper error handling exists, funds could become locked in the vault until enough assets are deposited again, potentially impacting liquidity management.

Recommendations

1. Check Available Withdrawable Balance:

   • Before initiating a withdrawal, query the Curve Vault to determine the maximum amount that can be withdrawn without violating the MIN_ASSETS condition.

   • Add a safeguard to prevent attempting withdrawals that would trigger a revert due to insufficient remaining assets.

2. Handle Partial Withdrawals:

   • If the requested withdrawal exceeds the available balance (total assets - MIN_ASSETS), adjust the withdrawal amount dynamically to ensure it does not violate the vault’s constraints.