Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`getNormalizedIncome` and `getNormalizedDebt` functions in LendingPool contract don't actually return normalised index but last updated index.

tadev

Summary

getNormalizedIncome and getNormalizedDebt functions in LendingPool contract are defined as follows:

function getNormalizedIncome() external view returns (uint256) {
return reserve.liquidityIndex;
}
function getNormalizedDebt() external view returns (uint256) {
return reserve.usageIndex;
}

This is a serious issue as these 2 functions don't return the normalised index (either liquidity or usage index), but the last updated index, contrary to what ReserveLibrary does.

Impact

The impact of this vulnerability is high, as it leads to incorrect assumptions in RToken and DebtToken contracts where these 2 functions are used for calculating balances, total supply and fees in general.

Tools Used

Manual review

Recommendations

Make sure to use the ReserveLibrary implementation in the LendingPool contract for both functions to correctly compute normalised indexes:

function getNormalizedIncome() external view returns (uint256) {
return ReserveLibrary.getNormalizedIncome(reserve, rateData);
}
function getNormalizedDebt() external view returns (uint256) {
return ReserveLibrary.getNormalizedDebt(reserve, rateData);
}

Note that ReserveLibrary getNormalizedDebt is wrongly implemented but this is another issue.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNormalizedIncome() and getNormalizedDebt() returns stale data without updating state first, causing RToken calculations to use outdated values

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.