Hardcoded `0 bps` acceptable max loss may render LendingPool unable to withdraw from `curveVault`
Summary
LendingPool uses a hardcoded 0 BPS when withdrawing from curveVault.
As a result, LendingPool may be temporarily or even permanently unable to withdraw from curveVault
Vulnerability Details
The LendingPool deposits a part of its liquidity to curve vault for additional rewards for LPs.
On withdraw or borrow to/from LendingPool, if required, LendingPool withdraws from the curveVault to ensure sufficient liquidity is available.
The curveVault is the savings crvUSD vault which make use of Yearn V3 vault.
According to Yearn docs the maxLoss is defined as:
The problem is that the maxLoss used to withdraw from curveVault is hardcoded to 0 BPS.
If the loss is even slightly higher than 0 BPS, the transaction reverts.
This may result in the inability to withdraw funds from the curveVault.
Impact
The lendingPool may be temporary unable to fulfill withdraw and/or borrow request even if total liquidity (balance of LendingPool and the amount deposited in curveValut) is sufficient.
On extreme cases, when a loss greater than 0 bps persists, the funds deposited in curveVault may not be withdrawable at all.
Tools Used
Recommendations
Consider implementing one of the following :
use a configurable value
> 0BPS formaxLoss. Only admin/governance can update this value;use
redeeminstead ofwithdrawas suggested by Yearn; do not overwrite themaxLossdefault value, but keep in mind that:
Lead Judging Commences
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.