CurveVault is based on shares, not on amounts
Summary
In LendingPool::_depositIntoVault, the protocol deposits funds into curveVault. However, the function accounts for the deposited amount instead of the minted shares, which leads to incorrect accounting. The Curve vault mints shares based on the deposited amount and its current exchange rate, but the protocol only tracks the deposited amount, leading to discrepancies over time due to yield accumulation.
Relevant Code:
The same issue exists in _withdrawFromVault, which reduces totalVaultDeposits based on withdrawal amounts but does not account for actual share ownership.
Vulnerability Details
The function
deposit(amount, address(this))mints shares corresponding toamount, buttotalVaultDepositstracks the deposited amount rather than the shares received.Since Curve Vaults accumulate yield, the shares increase in value over time, making
totalVaultDepositsan incorrect representation of the actual balance.
Impact
Loss of Funds Due to Misaccounting: Since totalVaultDeposits does not track yield-generated funds, the protocol could overestimate available liquidity and allow excessive withdrawals.
Tools Used
Manual Review
Recommendations
Use directly the method exposed by the CurveVault:
curveVault.previewRedeem(curveVault.balanceOf(address(this)), this will return all assets hold by the lending pool in the curve vault.
Lead Judging Commences
LendingPool::totalVaultDeposits can underflow when withdrawing yield-inclusive amounts and vault yield isn't factored into interest rate calculations
LendingPool::totalVaultDeposits can underflow when withdrawing yield-inclusive amounts and vault yield isn't factored into interest rate calculations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.