`LendingPool._ensureLiquidity()` Does Not Send Withdrawn Assets to the `RToken` Contract
Summary
The LendingPool._ensureLiquidity() function is designed to ensure that enough underlying assets are available in the RToken for user withdrawals. However, it only withdraws assets from the curveVault to the LendingPool contract itself and does not send the withdrawn assets to the RToken contract. Consequently, it cannot ensure sufficient underlying assets in the RToken contract.
Vulnerability Details
The _ensureLiquidity() function aims to ensure enough underlying assets in the RToken for user withdrawals.
To achieve this, it calls the _withdrawFromVault() function at line 765.
However, the _withdrawFromVault() function sets the second parameter (representing the receiver) of curveVault.withdraw() to address(this), which means it withdraws the needed assets from the curve vault to the LendingPool contract itself, rather than to the RToken contract.
As a result, the _ensureLiquidity() function cannot ensure enough underlying assets in the RToken contract for user withdrawals.
Impact
Users cannot withdraw.
Tools Used
Manual review
Recommendations
Set the receiver to the RToken contract.
Lead Judging Commences
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
LendingPool::_depositIntoVault and _withdrawFromVault don't transfer tokens between RToken and LendingPool, breaking Curve vault interactions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.