No functionality to withdraw protocol fees accrued in the LendingPool if curveVault != address(0)
Summary
The protocol fees is obtained in the lending pool and initially will remain in the RtokenAddress(this is the difference between the borrowers debt - lenders lent amount including the interest). This amount cant be withdrawn ever.
Vulnerability Details
When users start withdrawing their lent amount (assume that all the borrowers paid back), after each withdrawal (including the interest), the rTokenAddress is again filled with 20% of the totalLiquidity. The issue lies in the fact that the protocol fee amount is not considered in this totalLiquidity. Thus because of the constant rebalancing of liquidity (after deposit), and assuming all the lenders withdrew, the rTokenAddress will be empty.
The protocol Fee is as of then present in the curveVault(else it will remain in the rToken.sol and can be easily taken out), and there is no way to withdraw this amount.
Since the only way to withdraw the amount from curveVault is to withdraw from the lendingPool, since the protocol fee Amount is not assosciated with any RToken, (the protocol fee amount is subtracted from the liquidity Index and is not considered during minting), the fee amount is always stuck in the curve vault.
Impact
Protocol fee amount in lending pool is irretrievable
Tools Used
manual review
Recommendations
Add a function to withdraw from the curveVault without going through the lending pool's withdraw.
Appeal created
Protocol fees are deducted from depositor returns in liquidity rate calculations but never collected/transferred to protocol treasury, causing value loss
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.