Core Contracts

Summary

The DebtToken.updateUsageIndex function enforces a strict monotonic increase in the usage index by reverting any attempt to lower it. While this design ensures that the index only grows, it also prevents the protocol from correcting an overestimated usage index. In scenarios where the index is erroneously inflated—due to external oracle errors, miscalculations, or malicious manipulation—the inability to lower the index can lead to permanently overstated debt balances.

Vulnerability Details

1. Strict Monotonicity Enforcement:

   The function is implemented as follows:

   function updateUsageIndex(uint256 newUsageIndex) external override onlyReservePool {

   if (newUsageIndex < _usageIndex) revert InvalidAmount();

   _usageIndex = newUsageIndex;

   emit UsageIndexUpdated(newUsageIndex);

   }

   This check (if (newUsageIndex < _usageIndex) revert InvalidAmount();) ensures that once the usage index is raised, it cannot be reduced.

2. Overestimated Index Correction Issue:

   In the event that the usage index is overestimated—whether due to external oracle discrepancies, calculation errors, or deliberate manipulation—the protocol lacks a mechanism to correct this error. The inability to lower the index means that any overestimation is permanent, potentially resulting in:

   • Inflated Debt Balances: Users may see their accrued debt permanently higher than it should be.

   • Unfair Liquidations: Overstated debt levels could trigger liquidations or prevent users from adequately repaying their loans.

   • Systemic Inaccuracy: The overall health of the lending pool might be misrepresented, leading to broader economic implications.

3. Protocol Inflexibility:

   The design choice to forbid lowering the usage index, while intended to safeguard against certain types of abuse, also removes a critical corrective mechanism. This inflexibility can harm both users and the protocol's long-term stability in the face of unforeseen errors or external disruptions.

Impact

• User Debt Overstatement:
  Users might be saddled with debt amounts that are higher than their actual accrual, affecting their ability to manage repayments and risking unjust liquidations.

• Economic Distortion:
  An inflated usage index distorts the true state of the system’s debt, potentially affecting interest rate calculations and overall market confidence.

Proof-of-Concept (POC) Example

1. Erroneous Increase:
   An external error or manipulation causes the usage index to be set significantly higher than intended.

2. Attempted Correction:
   A protocol administrator or automated correction mechanism later attempts to update the usage index with a lower value that reflects the accurate debt accrual.

3. Reversion and Outcome:
   The updateUsageIndex function reverts the transaction, locking in the inflated usage index. Consequently, users' debt balances remain erroneously high, potentially triggering unwarranted liquidations or repayment difficulties.

Tools Used

Manual review

Recommendations

1. Allow Corrective Lowering Under Controlled Conditions:
   Modify the updateUsageIndex function to allow lowering the usage index when a correction is needed. This could be achieved by introducing a governance-controlled or time-locked mechanism that permits such adjustments only after thorough verification.

2. Implement Safeguards for Index Adjustments:
   Add additional checks or multi-signature approvals to ensure that any reduction in the usage index is justified and transparent, minimizing the risk of abuse.