LendingPool protocol fee is not properly handled
Summary
LendingPool protocol fee is not properly handled.
Vulnerability Details
LendingPool contains protocolFeeRate which is initialized to 0 but can be updated to non-zero.
LendingPool.sol::setProtocolFeeRate()
The protocol fee is charged on user's profit earned from borrowing interest.
ReserveLibrary.sol::calculateLiquidityRate()
The problem is that protocl fee is not recorded separately, nor there is dedicated function implemented for withdrawing the fees.
Impact
Because protocol fee is not properly recorded, it's very hard to know how much fee has been collected so far.
As there is no function for withdrawing protocol fee, the fee is stuck in RToken contract.
Tools Used
Manual Review
Recommendations
It is recommended to record protocol fee properly, and implement functionality to withdraw the fee.
Lead Judging Commences
LendingPool calculates protocol fees but lacks mechanism to track and withdraw them, causing fees to be permanently locked in the RToken contract
LendingPool calculates protocol fees but lacks mechanism to track and withdraw them, causing fees to be permanently locked in the RToken contract
Appeal created
LendingPool calculates protocol fees but lacks mechanism to track and withdraw them, causing fees to be permanently locked in the RToken contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.