Core Contracts

Summary

The _rebalanceLiquidity() function is responsible for maintaining an optimal liquidity buffer ratio by moving excess crvUSD into the Curve vault or withdrawing funds when there’s a shortage. However, the _depositIntoVault() function incorrectly attempts to deposit crvUSD from the LendingPool.sol contract, while all crvUSD deposits are stored in RToken.sol.

This results in a failed deposit operation because the CurveVault tries to pull crvUSD from LendingPool.sol, where no crvUSD tokens exist.

Vulnerability Details

Liquidity deposits (crvUSD) go directly into the RToken contract.
_rebalanceLiquidity() calculates how much crvUSD should remain available based on liquidityBufferRatio.
If there is excess liquidity, _depositIntoVault(excess) is called.
_depositIntoVault(amount) then approves the Curve vault to pull crvUS and calls deposit() on the vault:

The Curve vault tries to pull crvUSD from LendingPool.sol, but the funds are actually held in RToken.sol. The deposit transaction fails due to insufficient balance.

Incorrect Behavior Flow

1. Users deposit crvUSD → Funds go into RToken.sol.

2. Protocol detects excess liquidity → Calls _depositIntoVault(excess).

3. Curve vault tries to pull crvUSD from LendingPool.sol → Fails because crvUSD is in RToken.sol.

Impact

Failed Deposits and protocol Halt: _depositIntoVault() fails whenever _rebalanceLiquidity() tries to transfer excess liquidity which causes the transaction to revert and makes the protocol unusable.

Note: _depositIntoVault() will be called on the very first deposit transaction.

Tools Used

manual review

Recommendations

Implement the function _depositIntoVault() in the RToken.sol contract with a modifier onlyLendingPool and call it from the LendingPool.sol.