Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Interest will be updated incorrectly in setPrimeRate

x1485967

Summary

Interest will be updated incorrectly in setPrimeRate

Vulnerability Details

The owner can send one request to update the prime rate. When we receive the response data, we will set the lending pool's prime rate. In the function setPrimeRate, we will update the primeRate at first, then we will accrue the borrow interest in the previous time slot via updating the related liquidity index and usage index with the updated prime rate.

This is incorrect. The previous time slot's borrow interest should be calculated based on the previous prime rate and previous borrow rate.

For example:

  1. Alice deposits some funds in the lending pool in timestamp X.

  2. Bob borrows some funds from the lending pool in timestamp X + 100. After bob's borrow, the currentUsageRate is a1.

  3. The owner sends one request to update the prime rate in timestamp X + 500. Assume we get the response in timestamp X + 510. Here we update the currentUsageRate to a2. The borrow interest between timestamp X + 100 and timestamp X + 510 will be calculated with the updated usage rate a2. This is incorrect. We should use a1 to accrue the borrow interest between timestamp X + 100 and timestamp X + 510.

function setPrimeRate( ReserveData storage reserve,ReserveRateData storage rateData,uint256 newPrimeRate) internal {
uint256 oldPrimeRate = rateData.primeRate;
rateData.primeRate = newPrimeRate;
updateInterestRatesAndLiquidity(reserve, rateData, 0, 0);
}
function updateInterestRatesAndLiquidity(ReserveData storage reserve,ReserveRateData storage rateData,uint256 liquidityAdded,uint256 liquidityTaken) internal {
....
// update total liquidity.
uint256 totalLiquidity = reserve.totalLiquidity;
uint256 totalDebt = reserve.totalUsage;
uint256 utilizationRate = calculateUtilizationRate(reserve.totalLiquidity, reserve.totalUsage);
// Update current usage rate (borrow rate)
rateData.currentUsageRate = calculateBorrowRate(
rateData.primeRate, // primeRate is related with the borrow rate.
rateData.baseRate,
rateData.optimalRate,
rateData.maxRate,
rateData.optimalUtilizationRate,
utilizationRate
);
// Update current liquidity rate
rateData.currentLiquidityRate = calculateLiquidityRate(
utilizationRate,
rateData.currentUsageRate, // borrow rate.
rateData.protocolFeeRate,
totalDebt
);
// Update the reserve interests
updateReserveInterests(reserve, rateData);
}

Impact

The borrow interest's calculation is incorrect.

Tools Used

Manual

Recommendations

Accrue the borrow interest, update the usage index, liquidity index before we update the prime rate.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

setPrimeRate applies new rates retroactively by updating rates after changing primeRate, causing incorrect interest calculations for past periods

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

setPrimeRate applies new rates retroactively by updating rates after changing primeRate, causing incorrect interest calculations for past periods

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.