Voyage > Business Logic > LiquidityFacet.sol

The maxWithdraw functionality is broken

Low Severity
Low Impact
High Likelihood


Depositors will be unable to use the intended maxWithdraw functionality in withdraw(...):

uint256 userBalance = vToken.maxWithdraw(msg.sender);
uint256 amountToWithdraw = _amount;
if (_amount == type(uint256).max) {
    amountToWithdraw = userBalance;
BorrowState storage borrowState = LibAppStorage.ds()._borrowState[
uint256 totalDebt = borrowState.totalDebt + borrowState.totalInterest;
uint256 avgBorrowRate = borrowState.avgBorrowRate;
IVToken(vToken).withdraw(_amount, msg.sender, msg.sender);


Users will need to make withdraw requests for exact amounts in order to retrieve all of their deposited funds. If the _amount provided in the function call exceeds the available balance, the function will fail with no clear error message. This can create a frustrating and unexpected user experience.



IVToken(vToken).withdraw(_amount, msg.sender, msg.sender);


IVToken(vToken).withdraw(amountToWithdraw, msg.sender, msg.sender);

Also, modify the _amount check to the following:

if (_amount == type(uint256).max || _amount > userBalance) {
    amountToWithdraw = userBalance;


Commits aac23ae9 and 0e00c990 were indicated as containing the remediation. The commits correctly fix the issue by applying the suggested remediations.