Submission Details
Severity:
Incorrect Receiver Address Causing Funds Being Locked
Summary
Withdrawn assets are sent to the contract (address(this)) instead of the user (msg.sender), leading to permanent asset loss.
Vulnerability Details
The receiver parameter in curveVault.withdraw is set to address(this), causing assets to be sent to the contract. Since there is no mechanism to forward these assets to the user, they remain stuck indefinitely.
Impact
Users lose access to withdrawn assets.
Funds are permanently locked in the contract.
Tools Used
Manual review
Recommendations
Set receiver to msg.sender:
function _withdrawFromVault(uint256 amount) internal {
+ curveVault.withdraw(amount, msg.sender, msg.sender, 0, new address[](0));
- curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.