Inconsistent Debt Normalization Leads to Miscalculated Utilization Rate
Summary
The protocol calculates the utilization rate using raw debt updateInterestRatesAndLiquidity() function instead of normalized debt. This discrepancy leads to inconsistent interest rate calculations.
Vulnerability Details
The calculateUtilizationRate function is designed to use normalized debt (which includes accrued interest) for accurate calculations. In functions like getBorrowRate and getLiquidityRate, normalized debt is passed in. However, in updateInterestRatesAndLiquidity, the code mistakenly uses the raw debt (reserve.totalUsage) instead of the normalized debt computed by getNormalizedDebt.
Scenario:
Imagine a reserve with 1,000 liquidity units and a raw debt of 200 units. Due to accrued interest, the normalized debt should be 250.
Correct utilization: 250 / (1,000 + 250) = 20%.
Incorrect utilization (raw): 200 / (1,000 + 200) ≈ 16.67%.
This miscalculation results in lower borrow and liquidity rates than intended, affecting protocol economics.
Impact
Interest Rate Mispricing: Lower-than-intended utilization leads to miscalculated borrow and liquidity rates.
Economic Imbalance: This inconsistency can undermine incentives and potentially be exploited by savvy users.
Tools Used
manual review
Recommendations
Update updateInterestRatesAndLiquidity to pass the normalized debt (i.e., the result of getNormalizedDebt) to calculateUtilizationRate.
Lead Judging Commences
calculateUtilizationRate mixes unscaled totalLiquidity with scaled totalUsage values, causing incorrect utilization rates and interest calculations across the protocol
calculateUtilizationRate mixes unscaled totalLiquidity with scaled totalUsage values, causing incorrect utilization rates and interest calculations across the protocol
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.