Submission Details
Severity:
`RToken::updateLiquidityIndex` can't be called becaus `LendingPool` doesn't implement functionality to call it, making the `_liquidityIndex` stale
Summary
RToken has a function to enable programmatically updates to the _liquidityIndex. The RToken::updateLiquidityIndexcan only be called by the LendingPool.
Vulnerability Details
The LendingPooldoesn't implement a functionality to call the RToken::updateLiquidityIndex, blocking it from being updated.
- function updateLiquidityIndex(uint256 newLiquidityIndex) external override onlyReservePool { <@
if (newLiquidityIndex < _liquidityIndex) revert InvalidAmount();
_liquidityIndex = newLiquidityIndex;
emit LiquidityIndexUpdated(newLiquidityIndex);
}
Impact
The _liquidityIndex will be stale regardless of the money flow on the LendingPool, causing the pool to perform wrong calculations.
Tools Used
Code Review
Recommendations
Implement a function, on LendingPool to call the updateLiquidityIndexfunction and make the index dynamic as it should be.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
RToken::updateLiquidityIndex() has onlyReservePool modifier but LendingPool never calls it, causing transferFrom() to use stale liquidity index values
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.