Incorrect Address Used in Curve Vault Withdrawal
Summary
In the _withdrawFromVault function, the contract mistakenly passes msg.sender as the withdrawal owner when interacting with the Curve vault. Since users do not hold Curve LP tokens directly, this causes the function to revert. The correct withdrawal owner should be address(this), ensuring the contract manages its own funds properly.
Vulnerability Details
Issue
The withdrawal function currently specifies
msg.senderas the withdrawal owner, which is incorrect because only the contract (address(this)) holds Curve LP tokens.This leads to a failed transaction since
msg.senderdoes not own the required tokens, preventing proper liquidity rebalancing.
Affected Code
Incorrect:
msg.senderis used as the withdrawal owner.Correct: The contract itself (
address(this)) should be the withdrawal owner.
Impact
Liquidity Management Issues
The function will revert, preventing liquidity withdrawal and affecting the protocol’s ability to rebalance assets.
This can lead to inefficiencies in fund management, causing operational disruptions in withdrawals and deposits.
Tools Used
Manual inspection of the contract logic.
Recommendations
Fix the Withdrawal Address
Ensure that the contract (
address(this)) is used as the owner when withdrawing from the Curve vault.
Example Fix
This ensures the contract successfully retrieves its liquidity from the Curve vault.
Lead Judging Commences
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.