Core Contracts

Summary

Incorrect set value for receiver in _withdrawFromVault(), this results in the user not receiving the token asset as expected and the reserve remain in a state of lack of liquidity.

Vulnerability Details

When a user makes a withdraw(), there is a process of ensuring liquidity by calling the _ensureLiquidity() function. This function has the task of ensuring that the liquidity in the reserve address is sufficient to meet the user's withdrawal needs.

The problem arises when the total liquidity in the reserve does not meet the user's withdrawal needs. In this situation, the _withdrawFromVault() function is called which has the task of withdrawing assets from the vault that should be sent to the reserve or directly to the user. But in fact it is not.

It can be seen in the current implementation, receive is set to address(this) or in other words the asset recipient is the Lending Pool contract. This will be a problem, because when the withdraw() function in ReserveLibrary is executed, the asset is sent directly from the reserve and not from the Lending Pool. But the lack of liquidity that has just been withdrawn from the vault is not directly sent to the reserve or user but is sent to the Lending Pool. This causes the use not to receive the asset

Impact

user not receiving the token asset as expected and the reserve remain in a state of lack of liquidity

Tools Used

Manual Review

Recommended Mitigation

Consider set receiver as reserve address