Core Contracts

Summary

Depositors and borrowers interact with the system, where interest accrues differently for deposits and loans. When borrowers repay with interest, depositors expect to withdraw their deposits plus earned interest. However, due to mismatched index calculations, the total withdrawal amount exceeds the actual available balance. Early withdrawers take more than their fair share, leaving the last user unable to withdraw their full amount.

Vulnerability Details

1. Let’s assume , total crvUSD deposited by depositors = 1000e18, total crvUSD borrowed by borrowers = 800e18(without interest ). Currently liquidityIndex = 1.2e27(as liquidityIndex is calculated using linear interest), usageIndex = 1.3e27(as borrowIndex is calculated using compounded interest).

2. after that, (500e18*1.3e27)/1e27 = 650e18 amount(with interest ) is repaid by borrowers and depositors will withdraw (1000e18*1.2e27)/1e27 = 1200e18 amount(with interest ).

3. but depositors real withdrawable amount = 1000e18(deposited by depositors)+interest paid by borrowers(650e18 - 500e18) = 1000e18+150e18 = 1150e18.

4. so depositors will withdraw 1200e18 amount but depositors real withdrawable amount = 1150e18. As a result, initial withdrawers will withdraw their amount and the last withdrawer/user can’t withdraw his withdrawable amount because the initial users interest is taken from the last user.

Impact

some withdrawers/last withdrawers can’t withdraw their crvUSD amount.

Tools Used

manual review

Recommendations

implement properly to prevent this bug.