Submission Details
Severity:
Stale Data in DebtToken
Summary
DebtToken's balanceOf function uses potentially stale normalized debt values from LendingPool, allowing users to manipulate their debt positions by timing transactions around index updates.
Vulnerability Details
balanceOf relies on ILendingPool.getNormalizedDebt(), which may not be updated.
function balanceOf(address account) public view override(ERC20, IERC20) returns (uint256) {
uint256 scaledBalance = super.balanceOf(account);
return scaledBalance.rayMul(ILendingPool(_reservePool).getNormalizedDebt());
}
Impact
Incorrect debt calculations.
Tools Used
manual
Recommendations
Ensure LendingPool updates state before critical operations.
// In LendingPool.sol
function updateState() public returns (uint256) {
uint256 previousIndex = _normalizedDebt;
uint256 timeDelta = block.timestamp - lastUpdateTimestamp;
if (timeDelta > 0) {
uint256 interestRate = _calculateInterestRate();
_normalizedDebt = _normalizedDebt.rayMul(
interestRate.rayMul(timeDelta)
);
lastUpdateTimestamp = block.timestamp;
emit StateUpdated(_normalizedDebt, interestRate);
}
return _normalizedDebt;
}
// Add state update checks to critical functions
function borrow(uint256 amount) external {
updateState();
// Continue with borrow logic
}
function repay(uint256 amount) external {
updateState();
// Continue with repay logic
}
function liquidate(address user) external {
updateState();
// Continue with liquidation logic
}
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
LendingPool::getNormalizedIncome() and getNormalizedDebt() returns stale data without updating state first, causing RToken calculations to use outdated values
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.