Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Protocol Insolvency due to inability to withdraw rewards from curve

0xtimefliez

Description

Within the LendingPool it is a core functionality to deposit and withdraw assets from the curve vault, presumably to earn interest on deposited assets. However accounting within the LendingPool makes it impossible to withdraw accrued interest.

Vulnerability Details

LendingPool::_depositIntoVault

function _depositIntoVault(uint256 amount) internal {

IERC20(reserve.reserveAssetAddress).approve(address(curveVault), amount);

curveVault.deposit(amount, address(this));

@> totalVaultDeposits += amount;

}

LendingPool::_withdrawFromVault

function _withdrawFromVault(uint256 amount) internal {

curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));

@> totalVaultDeposits -= amount;

}

As you can see above in the function the total vault deposits are tracked as amount deposited and withdrawn, not as shares, neither is there any helper function to rectify this. This means that if the deposited value is 100 crvUSD, even if it was left within the curve vault for years, could only ever be withdrawn as 100 crvUSD, leaving accrued interest permanently locked within the curve vault.

Impact

Since this functionality is clearly meant to cover (at least partially) paid interest on RTokens, leaving the accrued interest within the curve vault will directly affect the solvency of the protocol. While users continue to accrue interest on R Tokens, the liabilities of the protocol will grow and eventually without the ability to access it's own interest rates within the curve vault, outgrow the assets.
Likelihood is High since no preconditions have to be met.
Impact is High since this directly affects the protocol solvency.

Therefore the total severity is High.

Tools Used

Manual Review

Recommended Mitigation

Implement functionality to update the amount of totalVaultDeposit depending on received vault shares.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::totalVaultDeposits can underflow when withdrawing yield-inclusive amounts and vault yield isn't factored into interest rate calculations

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::totalVaultDeposits can underflow when withdrawing yield-inclusive amounts and vault yield isn't factored into interest rate calculations

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!