The lending protocol deposits excess reserve tokens into the Curve Vault to earn additional yield, but there is no structured mechanism to distribute this yield back to depositors. This results in an untracked surplus, leading to unfair reward allocation, governance disputes, and missed opportunities for sustainable revenue generation. Additionally, the protocol treasury lacks a structured way to take a service fee from the earned yield, further exacerbating the issue.
Depositors Are Not Receiving Curve Vault Yield
Lenders provide all reserve tokens to the protocol, yet only borrowers’ interest payments fund their rewards.
Any additional yield earned from Curve Vault is not distributed back to depositors, as is evidenced from the function below that's devoid of the yield distribution logic.
This creates a misalignment of incentives, where lenders are exposed to risk but do not receive full benefits from the reserve asset's yield.
Treasury Cannot Justify Taking a Cut
The protocol may intend to take a small service fee from Curve yield, but without a structured distribution system, it cannot transparently do so.
Governance disputes may arise as users demand a fair share of the earnings.
No Accounting for Yield Growth
The system does not track the growth of deposits inside Curve Vault properly.
This results in an untracked surplus, making liquidity accounting opaque.
If the protocol retires its lending service, there is no clear mechanism to distribute the accumulated Curve yield fairly.
Missed earnings for depositors undermine trust and adoption.
Protocol revenue loss prevents long-term sustainability.
Opaque fund management may cause governance issues.
It appears that rescue()
may be used to retrieve the accrued yields but I don't think this should be justifiable considering the deposited Reserve asset tokens to the Curve vault are primarily contributed by the lenders. Besides, the missing yield distribution logic in _withdrawFromVault()
will not have such extra funds available for withdrawal rescue.
Manual
Implement a structured yield distribution system.
It seems like the difference between totalVaultDeposits
and the actualBalance, i.e. curveVault.balanceOf(address(this))
, may be tapped into to formulating and updating the yields each time _depositIntoVault()
or _withdrawFromVault()
is triggered.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.