`getNormalizedIncome()` and `getNormalizedDebt()` in `LendingPool` may return stale data
Summary
Whenever a state-changing action happens in the LendingPool, the liquidityIndex and the usageIndex get updated based on the pool's utilization rate. The pool also provides external view functions to fetch them, which is utilized in the RToken, DebtToken, StabilityPool, and in the RAACMinter. However, these getters directly fetched the stored variables, without checking if any time since the last update has passed, which could lead to data inconsistencies.
Vulnerability Details
If we look at how usageIndex and liquidityIndex are updated, we can see that, the updates happen before any token mints or burns:
deposit
withdraw
depositNFT
withdrawNFT
borrow
repay
initiateLiquidation
closeLiquidation
finalizeLiquidation
From this, we can deduce that, if an action from above happens, and there is no other action to update the state, all other contracts that depend on getNormalizedIncome and getNormalizedDebt will be working with stale data, as they directly fetch the storage variable, without checking for passed time:
This includes liqudiations, and various DebtToken and RToken actions. As interest and borrow indexes are accrued every second, these inconsistencies could add up quite easily.
Impact
Stale data could be used by various functions across the RAAC protocol leading to invalid states.
Tools Used
Manual review
Recommendations
Utilize the getNormalizedIncome() and getNormalizedDebt() functions from the ReserveLibrary, as they properly check for passed time.
Lead Judging Commences
LendingPool::getNormalizedIncome() and getNormalizedDebt() returns stale data without updating state first, causing RToken calculations to use outdated values
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.