`LendingPool._withdrawFromVault()` Uses `curveVault` Shares of `msg.sender` Instead of `LendingPool`
Summary
The LendingPool._withdrawFromVault() function is designed to ensure that enough underlying assets are available for user withdrawals. However, it withdraws assets from the curveVault by utilizing curveVault shares of msg.sender instead of those of the LendingPool. As a result, the withdrawer may incur losses, or if they do not have enough curveVault shares, the withdrawal will revert, preventing them from accessing their assets.
Vulnerability Details
The _withdrawFromVault() function aims to ensure sufficient underlying assets for user withdrawals.
However, it incorrectly sets the third parameter (representing the owner of the curveVault shares being redeemed) of curveVault.withdraw() to msg.sender. This means that the function withdraws the required assets from the curveVault using the curveVault shares of msg.sender instead of those of the LendingPool.
As a result, the withdrawer unfairly spends their curveVault shares, leading to a loss of funds. If the withdrawer does not have enough curveVault shares, they cannot withdraw their assets, effectively locking their funds.
Impact
This vulnerability can lead to a loss of funds for withdrawers.
Tools Used
Manual review
Recommendations
Set the third parameter to address(this) instead of msg.sender to ensure the LendingPool's curveVault shares are used for withdrawals.
Lead Judging Commences
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.