`setCurveVault` it's not withdrawing funds
Summary
In the LendingPool contract, if the owner changes the curveVault address using the setCurveVault function, all funds previously deposited into the old vault will become inaccessible, effectively getting stuck in the old vault.
Vulnerability Details
The function allows the owner to change the curveVault at any time, but it does not transfer funds from the old vault to the new one.
Example Scenario
The protocol initially sets
curveVault = Vault A.Users deposits 1,000 USDC and part of these funds are deposited into
Vault A.The owner calls
setCurveVault(Vault B), switching to a new vault.The contract now interacts with
Vault B, but part of the 1,000 USDC remains stuck, as there is no function to transfer it out.
Impact
User Funds May Become Irretrievable – If users have funds in the old vault, they will be permanently stuck. Also the variable that hold the current amount which is hold by vault, will have a wrong value.
Tools Used
Manual review
Recommendations
Migrate Funds Before Changing Vaults
Implement a safe migration function that withdraws all funds from the old vault before updating to a new vault.
Lead Judging Commences
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
LendingPool::setCurveVault doesn't withdraw funds from old vault before changing address, permanently locking deposited assets
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.