Core Contracts

Summary

** updateReserveInterests is not called before updateInterestRatesAndLiquidity in the function setPrimeRate(ReserveLibrary). As a result, if the interest rate is not updated for a long time and the new prime rate is bigger than the previous prime rate, then the borrow rate and liquidity rate will be bigger than expected.also if the interest rate is not updated for a long time and the new prime rate is less than the previous prime rate, then the borrow rate and liquidity rate will be less than expected.**

Vulnerability Details

** 1. Let’s assume current primerate = 1e27, reserve.usageIndex = 1.2e27, reserve.liquidityIndex = 1.17e27. Also let’s assume, the interest rate is not updated for a long time. If now interest rate is updated, then reserve.usageIndex will be 1.25e27 and reserve.liquidityIndex will be 1.2e27.**

2. now new primerate i.e 1.1e27 is set by owner which calls function setPrimeRate where updateInterestRatesAndLiquidity is called which updates borrow rate and liquidity rate and then it updates reserve.liquidityIndex , reserve.usageIndex based on new borrow rate/liquidity rate.

3. when function setPrimeRate is called, it should first update reserve.liquidityIndex , reserve.usageIndex based on previous borrow rate/liquidity rate, then it should update borrow rate and liquidity rate based on new prime rate.

**
**

Impact

if the interest rate is not updated for a long time and the new prime rate is bigger than the previous prime rate, then the borrow rate and liquidity rate will be bigger than expected.also if the interest rate is not updated for a long time and the new prime rate is less than the previous prime rate, then the borrow rate and liquidity rate will be less than expected.

Tools Used

manual review

Recommendations

call updateReserveInterests before updateInterestRatesAndLiquidity in the function setPrimeRate.