Core Contracts

Summary

The LendingPool contract contains a critical vulnerability in its utilization rate calculation that causes systematic undervaluation of interest rates. The current formula mathematically prevents the utilization rate from ever reaching 100% and significantly underestimates the true utilization of the pool.

Vulnerability Details

The formula used is:

The standard formula should be:

The current implementation might lead to incorrect calculations because:

1. Adding totalUsage to the denominator effectively double-counts the borrowed amount

2. This could lead to underestimation of the utilization rate

3. The formula would never reach 100% utilization, even if all funds were borrowed

For example:

• If totalLiquidity = 100 and totalUsage = 100

• Current formula: 100 / (100 + 100) = 0.5 or 50%

• Correct formula should be: 100 / 100 = 1 or 100%

Impact

The vulnerability has severe implications:

Interest Rate Undervaluation

• Borrowers pay significantly lower interest rates than they should

• Lenders receive reduced yields

• Protocol earns less fees than intended

Example scenarios demonstrating the impact:

Risk Management Issues

• Utilization appears lower than reality

• Could lead to over-leveraged positions

• Compromises protocol's risk assessment

Financial Losses

• Reduced protocol revenue

• Unfair distribution of yields

• Potential protocol insolvency risks

Tools Used

• Manual code review

Recommendations

1. Modify the utilization rate calculation to use the correct formula:

2. Update all dependent functions that rely on utilization rate calculations.

3. Add invariant tests to ensure utilization rate behaves as expected:

   • 0 liquidity = 0% utilization

   • usage = liquidity → 100% utilization

   • usage < liquidity → proportional utilization

4. Add safety checks like: