Incorrect Owner Parameter in _withdrawFromVault() Will Prevent Rebalance and Ensure Liquidity in `LendingPool` Contract
Summary
In the `LendingPool` contract, the _withdrawFromVault() function, the curveVault.withdraw() function is called with msg.sender as the owner instead of address(this). Since deposits mint vault shares to address(this), withdrawals should burn those shares from the same owner (address(this)). Using msg.sender instead of address(this) can prevent the contract from successfully withdrawing funds, leading to a loss of liquidity.
Vulnerability Details
In the _depositIntoVault() function, assets are deposited into the Curve vault, and shares are minted to address(this), meaning the contract itself becomes the owner of the shares.
In the _withdrawFromVault() function, the curveVault.withdraw() function attempts to burn shares from msg.sender instead of address(this). However, since the shares were minted to address(this), the correct owner for burning these shares should also be address(this).
Impact
Failed Withdrawals: If
msg.senderis notaddress(this), the withdrawal will fail because the vault does not recognizemsg.senderas the owner of the shares.Loss of Funds: The contract may not be able to reclaim its deposits, leading to funds being locked in the vault.
The above issue lead to failure in Ensure sufficient liquidity is available while performing withdraw or borrow and Rebalance liquidity after deposit, withdrawal and borrowing.
Tools Used
Recommendations
Lead Judging Commences
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
LendingPool::_withdrawFromVault hardcodes maxLoss to 0, causing reverts when Curve vault applies any fees or slippage to withdrawals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.