ReservePool fails to implement updateLiquidityIndex function, permanently freezing RToken's transferFrom() scaling at initial value"
Summary
The ReservePool.sol contract fails to implement the updateLiquidityIndex function that is required to update the _liquidityIndex parameter in RToken.sol. This causes RToken::transferFrom() function to permanently use the initial liquidity index value set at deployment, preventing proper interest accrual scaling for these transfers.
Vulnerability Details
The RToken contract relies on the ReservePool to update its liquidity index through the updateLiquidityIndex function:
However, the ReservePool contract does not implement this function at all. This means:
The _liquidityIndex in RToken remains at its initial value forever
All transferFrom() calls use this stale initial value for scaling:
Impact
High
The transferFrom() function will ALWAYS use the initial liquidity index value
No interest accrual will be reflected in transferFrom() operations
Users will receive incorrect token amounts when using transferFrom()
Likelihood
High
The issue is present from deployment
Affects all transferFrom() operations
No special conditions needed to trigger
Will definitely lead to incorrect transfers as soon as any interest accrues
Proof of Concept
N/A - Vulnerability is straight forward and sufficient information has been provided priorly.
Recommendations
Implement
updateLiquidityIndex()inReservePool.sol:Ensure the function is called whenever interest accrues in the ReservePool
Alternatively, use this functionality instead:
ILendingPool(_reservePool).getNormalizedIncome()
Lead Judging Commences
RToken::updateLiquidityIndex() has onlyReservePool modifier but LendingPool never calls it, causing transferFrom() to use stale liquidity index values
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.