Submission Details
Severity:
RToken::updateLiquidityIndex() can never be called
Description
Inside RToken.sol, the admin function updateLiquidityIndex() has a onlyReservePool modifier which restricts its call to be made only by the LendingPool contract and no one else.
File: contracts/core/tokens/RToken.sol
92: /**
93: * @notice Updates the liquidity index
94: * @param newLiquidityIndex The new liquidity index
95: */
96:@---> function updateLiquidityIndex(uint256 newLiquidityIndex) external override onlyReservePool {
97: if (newLiquidityIndex < _liquidityIndex) revert InvalidAmount();
98: _liquidityIndex = newLiquidityIndex;
99: emit LiquidityIndexUpdated(newLiquidityIndex);
100: }
However there is no function inside LendingPool.sol that calls the aforementioned function.
Impact
The functionality which RToken::updateLiquidityIndex() aims to provide can never be used. Admin can't update the liquidity index.
Mitigation
Add a function inside LendingPool.sol which looks like:
function updateLiquidityIndex(uint256 newLiquidityIndex) external onlyOwner {
IRToken(reserve.reserveRTokenAddress).updateLiquidityIndex(newLiquidityIndex);
}
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RToken::updateLiquidityIndex() has onlyReservePool modifier but LendingPool never calls it, causing transferFrom() to use stale liquidity index values
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.