Submission Details
Severity:
Incorrect utlization rate calculation
Summary
The reserve library determiens the total liqudity by keeping track of the added liquidity during deposits and withdrawals, however it is not adjusted when the dust amount is transferred by the owner of the pool via LendingPool::transferAccruedDust or when part of the excess amount is deposited in the vaults.
Vulnerability Details
The pool operates at a lower utilization rate than what it actually has.
Impact
Paste this into the lending pool tests.
it("should transfer accrued dust correctly", async function () {
// create obligations
await crvusd.connect(user1).approve(lendingPool.target, ethers.parseEther("100"));
await lendingPool.connect(user1).deposit(ethers.parseEther("100"));
// mint a lot of crvUSD to the reserve
await crvusd.mint(rToken.target, ethers.parseEther("10000000"));
// Calculate dust amount
const dustAmount = await rToken.calculateDustAmount();
console.log("Dust amount:", dustAmount);
// Set up recipient and transfer dust
const dustRecipient = owner.address;
// TODO: Ensure dust case - it is 0n a lot. (NoDust())
if (dustAmount !== 0n) {
let normalizeIncomeBefore = await lendingPool.getNormalizedIncome();
await lendingPool.connect(owner).transferAccruedDust(dustRecipient, dustAmount);
let normalizeIncomeAfter = await lendingPool.getNormalizedIncome();
expect(normalizeIncomeAfter).to.equal(normalizeIncomeBefore);
// Withdraw initial deposit
await lendingPool.connect(user1).withdraw(ethers.parseEther("100"));
const dustAmountPostWithdraw = await rToken.calculateDustAmount();
console.log({ dustAmountPostWithdraw });
}
});
Tools Used
Manual review.
Recommendations
Use the underlying asset balance held by the reserve.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::transferAccruedDust doesn't update reserve.totalLiquidity when dust is transferred, causing discrepancy between tracked and actual liquidity
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
LendingPool::transferAccruedDust doesn't update reserve.totalLiquidity when dust is transferred, causing discrepancy between tracked and actual liquidity
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.