Core Contracts

Summary

The reserve indices are updated too late (after liquidity or debt changes occur) resulting in stale interest accrual. This mis-sequencing leads to inaccurate interest rate computations and may distort economic incentives.

Vulnerability Details

The updateReserveInterests function is intended to be called before any state-changing operations to capture the current interest accrual accurately. However, in the updateInterestRatesAndLiquidity function, it is invoked at the end—after liquidity or debt updates have already occurred.

• Step 1: During a deposit, updateReserveInterests is called at the beginning, updating indices (liquidityIndex and usageIndex) using the reserve's current state.

• Step 2: The deposit is processed, increasing the reserve’s liquidity.

• Step 3: Later, updateInterestRatesAndLiquidity is called, which in turn calls updateReserveInterests at its end, updating the indices again based on the new state.

This delayed update causes the indices to reflect a timestamp later than when the deposit was actually made. As a result, the accrued interest calculations for subsequent operations use stale indices, misrepresenting the actual interest earned or owed.

Demonstration:

• Reserve liquidity: 1,000 tokens

• Liquidity index: 1.0 RAY

• Last update timestamp: t = 0

Ideal Update:

• At t = 86,400 seconds (1 day), with a 1% daily interest, the liquidity index should update to approximately 1.01 RAY based solely on the original 1,000 tokens.

Issue:

• User A deposits 100 tokens at t = 86,000 seconds.

• Instead of updating the indices before processing the deposit, the protocol calls updateReserveInterests at the end of updateInterestRatesAndLiquidity.

• Consequently, the liquidity index is recalculated using the new total liquidity (1,100 tokens) and a time delta that includes the deposit. This late update causes the new index to be higher than it should be for the period before the deposit.

Result:

• Interest for early depositors is accrued using an outdated index (around 1.01 RAY), while User A’s deposit benefits from the inflated index calculated after the deposit.

• This misalignment leads to inaccurate interest computations and potential unfair distribution of rewards.

Impact

• Interest Miscalculation:
  Because indices are updated after liquidity changes, the calculated borrow and liquidity rates may not accurately reflect the interest that should have accrued during the deposit or withdrawal process. This mispricing can lead to either overcharging or underpaying interest.

• Economic Discrepancy:
  Stakeholders—both borrowers and depositors—may receive rewards or incur costs that differ from what is expected. This misalignment can erode user trust, distort market incentives, and ultimately impact the protocol’s stability.

Tools Used

manual review

Recommendations

Call updateReserveInterests immediately before any state changes (liquidity or debt adjustments) occur.