Core Contracts

Summary

The DebtToken's usage index, which governs interest rate calculations across the lending protocol, can be manipulated to decrease between updates. This breaks the fundamental assumption that interest rates only compound forward in time, similar to how a bank can't retroactively reduce already accrued interest.

In the DebtToken's updateUsageIndex() function, where the protocol tracks lending pool utilization to calculate interest rates. The current implementation allows the ReservePool to update the usage index with potentially lower values, creating a dangerous gap in the protocol's interest rate mechanics.

When the usage index decreases, it disrupts the entire chain of debt calculations:

• Interest accrual becomes inconsistent

• Debt positions are incorrectly valued

• The lending pool's accounting system loses accuracy

Consider a scenario where:

1. Initial usage index: 1.5 (150% utilization)

2. New update sets index to 1.2 (120% utilization)

3. Result: 20% reduction in accrued interest

This is equivalent to suddenly declaring that last month's 5% APR was actually 4%, and retroactively reducing all borrower obligations. In the RAAC protocol's context, this directly impacts the stability of real estate-backed lending positions.

Vulnerability Details

The DebtToken contract, a cornerstone of RAAC's real estate lending system, has a flaw in its interest rate mechanics. At its core, the protocol tracks lending pool utilization through a usage index that should only increase over time, similar to how mortgage interest compounds. However, the current implementation allows this index to decrease, undermining the entire lending system's stability.

Picture a real estate loan where the interest rate suddenly drops retroactively, this is exactly what can happen in the protocol. When the ReservePool calls updateUsageIndex(), it can potentially set a lower index value than previously recorded. For example, if a real estate position starts with a usage index of 1.5 (representing 150% utilization), the index could be maliciously updated to 1.2, effectively erasing 20% of the accrued interest across all positions.

The impact ripples through RAAC's entire lending ecosystem. Since DebtToken works alongside RAACToken and veRAACToken for governance, compromised interest calculations affect not just individual loans but the protocol's entire economic model. The stability mechanism, designed to maintain reliable real estate backing, becomes unreliable when debt positions can be artificially deflated.

Impact

Interest rate calculations are non-negotiable, the usage index vulnerability strikes at the heart of this, imagine a mortgage where the interest rate could retroactively decrease!

Recommendations

By enforcing strict monotonic increases in the usage index, we protect the protocol's core interest rate mechanics and ensure reliable debt accounting for all real estate-backed positions.
change < to <= in the validation check, ensuring the index strictly increases with each update.