Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Not accounting for accumulated interest in the `updateInterestRatesAndLiquidity` function of `ReserveLibrary.sol` Contract

eta

Summary

The utilization rate calculation in the updateInterestRatesAndLiquidity function of ReserveLibrary.sol contract was incorrect due to not accounting for accumulated interest in debt and liquidity, leading to inaccurate updates of borrow and liquidity rates and risk assessments.

Vulnerability Details

The issue arises in the current calculation of the utilization rate, where the system only considers the raw debt and liquidity values without factoring in accumulated interest.

  1. Current Calculation:

function updateInterestRatesAndLiquidity(ReserveData storage reserve,ReserveRateData storage rateData,uint256 liquidityAdded,uint256 liquidityTaken) internal {
uint256 computedDebt = getNormalizedDebt(reserve, rateData); // @audit ❌ Not used
uint256 computedLiquidity = getNormalizedIncome(reserve, rateData); // @audit ❌
// @audit ❌ not accounting for accumulated interest in debt and liquidity when calculate utilization rate
uint256 utilizationRate = calculateUtilizationRate(reserve.totalLiquidity, reserve.totalUsage);
// @audit ❌ Update current usage rate (borrow rate) using outdated utilizationRate
rateData.currentUsageRate = calculateBorrowRate(
rateData.primeRate,
rateData.baseRate,
rateData.optimalRate,
rateData.maxRate,
rateData.optimalUtilizationRate,
utilizationRate
);
// @audit ❌ Update current liquidity rate using outdated utilizationRate
rateData.currentLiquidityRate = calculateLiquidityRate(
utilizationRate,
rateData.currentUsageRate,
rateData.protocolFeeRate,
totalDebt
);
// Update the reserve interests using outdated reserve and rateData
updateReserveInterests(reserve, rateData);
emit InterestRatesUpdated(rateData.currentLiquidityRate, rateData.currentUsageRate);
);

The actual debt and liquidity should include accumulated interest, which the current method ignores as shown below:

Current Calculation Example:

  • actualDebt = rawDebt + accumulatedInterest

  • actualLiquidity = rawLiquidity + accumulatedDepositInterest

  • Original liquidity = 1000 USDC

  • Original debt = 500 USDC

  • Accumulated debt interest = 50 USDC

  • Accumulated liquidity interest = 30 USDC

Current Utilization Rate Calculation: utilizationRate = 500 / (1000 + 500) = 33.33%
Correct Calculation: utilizationRate = 550 / (1030 + 550) = 34.81%

Impact

  1. Underestimated Utilization Rate:

    • The system calculates a lower or higher utilization rate than the actual value, leading to an inaccurate assessment of the system’s liquidity utilization.

  2. Incorrect Interest Rate Updates:

    • Since the utilization rate is used to update borrow and liquidity interest rates, incorrect utilization rates may result in wrong interest rate adjustments, affecting both borrowers and lenders.

  3. Underestimated Risk:

    • The failure to include accumulated interest in the utilization rate means that the system is underestimating or overestimating the actual debt to liquidity ratio. This can lead to an incorrect risk assessment and potential solvency issues, as the system may not take into account the full exposure.

  4. Potential Financial Losses:

    • Incorrect interest rate calculations and underestimation of risk can lead to imbalanced liquidity pools, higher chances of liquidations, and financial instability within the system.

Tools Used

Manual code review

Recommendations

It is recommended to fix the utilization rate calculation and modify the updateInterestRatesAndLiquidity function to use the computed debt and liquidity values, which include accumulated interest, in the utilization rate calculation.

function updateInterestRatesAndLiquidity(ReserveData storage reserve,ReserveRateData storage rateData,uint256 liquidityAdded,uint256 liquidityTaken) internal {
...
// @audit Compute actual values
uint256 computedDebt = getNormalizedDebt(reserve, rateData);
uint256 computedLiquidity = getNormalizedIncome(reserve, rateData);
// @audit Use actual values for utilization rate
- uint256 utilizationRate = calculateUtilizationRate(reserve.totalLiquidity, reserve.totalUsage);
+ uint256 utilizationRate = calculateUtilizationRate(computedLiquidity, computedDebt);
// ... Further interest rate update logic ...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

ReserveLibrary calculates computedDebt and computedLiquidity but never uses them, leading to stale totalUsage and totalLiquidity values in utilization rate calculations

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

ReserveLibrary calculates computedDebt and computedLiquidity but never uses them, leading to stale totalUsage and totalLiquidity values in utilization rate calculations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!