_withdrawFromVault() will always revert because set msg.sender as owner when call curveVault.withdraw()
Summary
_withdrawFromVault() will always revert because set msg.sender as owner when call curveVault.withdraw()
Vulnerability Details
_withdrawFromVault() is part of the liquidity balancing and liquidity ensuring mechanism in the Lending Pool. In every transaction that takes place (lending / borrow) this function is called if the pool has less liquidity than needed.
The problem arises when calling the curveVault.withdraw() function where the owner variable is filled with msg.sender.
msg.sender on each transaction when the _withdrawFromVault() function is called is the user (lender/borrower) so this function will always revert because msg.sender (user) does not have the shares needed to withdraw assets from the vault. The owner of these shares is address(this) or in other words the Lending Pool contract itself. This can be seen from the _depositIntoVault() function
Impact
_withdrawFromVault() always revert and liquidity cannot be provide for user
Tools Used
Manual Review
Recommended Mitigation
Consider set owner as address(this) when calling curveVault.withdraw()
Lead Judging Commences
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.