Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: low
Valid

Unallocated Curve Vault Yield Fails to Reward Lenders

Summary

The lending protocol deposits excess reserve tokens into the Curve Vault to earn additional yield, but there is no structured mechanism to distribute this yield back to depositors. This results in an untracked surplus, leading to unfair reward allocation, governance disputes, and missed opportunities for sustainable revenue generation. Additionally, the protocol treasury lacks a structured way to take a service fee from the earned yield, further exacerbating the issue.

Vulnerability Details

Depositors Are Not Receiving Curve Vault Yield

  • Lenders provide all reserve tokens to the protocol, yet only borrowers’ interest payments fund their rewards.

  • Any additional yield earned from Curve Vault is not distributed back to depositors, as is evidenced from the function below that's devoid of the yield distribution logic.

LendingPool.sol#L809-L812

function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));
totalVaultDeposits -= amount;
}
  • This creates a misalignment of incentives, where lenders are exposed to risk but do not receive full benefits from the reserve asset's yield.

Treasury Cannot Justify Taking a Cut

  • The protocol may intend to take a small service fee from Curve yield, but without a structured distribution system, it cannot transparently do so.

  • Governance disputes may arise as users demand a fair share of the earnings.

No Accounting for Yield Growth

  • The system does not track the growth of deposits inside Curve Vault properly.

  • This results in an untracked surplus, making liquidity accounting opaque.

  • If the protocol retires its lending service, there is no clear mechanism to distribute the accumulated Curve yield fairly.

Impact

  • Missed earnings for depositors undermine trust and adoption.

  • Protocol revenue loss prevents long-term sustainability.

  • Opaque fund management may cause governance issues.

It appears that rescue() may be used to retrieve the accrued yields but I don't think this should be justifiable considering the deposited Reserve asset tokens to the Curve vault are primarily contributed by the lenders. Besides, the missing yield distribution logic in _withdrawFromVault() will not have such extra funds available for withdrawal rescue.

LendingPool.sol#L731-L734

function rescueToken(address tokenAddress, address recipient, uint256 amount) external onlyOwner {
require(tokenAddress != reserve.reserveRTokenAddress, "Cannot rescue RToken");
IERC20(tokenAddress).safeTransfer(recipient, amount);
}

Tools Used

Manual

Recommendations

Implement a structured yield distribution system.

It seems like the difference between totalVaultDeposits and the actualBalance, i.e. curveVault.balanceOf(address(this)), may be tapped into to formulating and updating the yields each time _depositIntoVault() or _withdrawFromVault() is triggered.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool earns yield from Curve Vault deposits but lacks systematic distribution mechanism, leading to protocol-owned value with unclear extraction path

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool earns yield from Curve Vault deposits but lacks systematic distribution mechanism, leading to protocol-owned value with unclear extraction path

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.