Summary

In the _withdrawFromVault function, the contract does not approve the CurveUSD token before initiating a withdrawal from the Curve vault. The curveVault.withdraw function requires prior approval to burn and transfer tokens back to the system. Without proper approval, the transaction will fail, preventing successful liquidity withdrawal.

Vulnerability Details

Issue

• The _withdrawFromVault function directly calls curveVault.withdraw without first approving the CurveUSD token.

• Since the Curve vault requires an approval before handling tokens, the withdrawal process will revert due to missing authorization.

Affected Code

• Incorrect: The contract does not call approve before initiating the withdrawal.

• Correct: Approval should be granted before attempting the withdrawal.

Impact

Transaction Failure

• The withdrawal process fails, preventing the contract from retrieving liquidity.

• This can cause operational disruptions in fund management, affecting withdrawals and liquidity rebalancing.

Tools Used

• Manual inspection of the contract's liquidity management logic.

Recommendations

Approve Tokens Before Withdrawing

• Ensure that the CurveUSD token is approved for the Curve Vault before the withdrawal is initiated.

Example Fix

• This ensures that the Curve vault can successfully process the withdrawal request.