Impossible to set `usageIndex` in `DebtToken`
Summary
The DebtToken contract allows for setting a usageIndex via updateUsageIndex, which is restricted by an onlyReservePool modifier. The reserve pool contract (LendingPool) does not provide a function to call into DebtToken#updateUsageIndex.
Vulnerability Details
The DebtToken contract allows for setting a usageIndex via its updateUsageIndex function. This function requires the caller to be the reserve pool. This is enforced using the onlyReservePool modifier:
The reserve pool is supposed to be the LendingPool, meaning, only the `LendingPool is allowed to call this function:
However, looking at the LendingPool contract, it does not have any function that calls into DebtToken.updateUsageIndex, resulting in the index not being changeable as intended.
Impact
Turns out the usageIndex is not really used anywhere, so this has no negative impact at this point, unless the codebase changes such that it relies on DebtToken.getUsageIndex(). Furthermore, DebtToken comes with a setReservePool function, which would enable the owner to update the reserve pool to a contract that does provide the necessary function.
Tools Used
Manual review
Recommendations
Either remove usageIndex entirely from DebtToken or, if kept, ensure the expected reserve pool contract actually comes with the necessary functions to update the usageIndex in DebtToken.
Relevant links
Lead Judging Commences
[INVALID] Unused _usageIndex Variable and updateUsageIndex() Function in DebtToken Contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.