Incorrect Prime Rate Update Causing Cascading Effects on Borrow Rates, Reserve Indices, and System Stability
Summary
A critical vulnerability exists in the setPrimeRate() function within the LendingPool contract due to the failure to proportionately update baseRate, optimalRate, and maxRate alongside the primeRate when changes occur. This oversight leads to incorrect borrow rate calculations, which propagate through the reserve lending system, ultimately affecting liquidity indices, borrower debt accumulation, and system stability. The cascading effects of this flaw significantly degrade the protocol’s risk management and capital efficiency.
Vulnerability Details
When the LendingPool is initialized, the following proportional relationships between the primeRate and the other interest rate parameters are established:
However, when setPrimeRate() is called, only the primeRate is updated, while the baseRate, optimalRate, and maxRate remain at their initial values:
Since the baseRate, optimalRate, and maxRate are not updated proportionately, their values may become disconnected from the prime rate. When this change propagates to the updateInterestRatesAndLiquidity() function, it triggers incorrect borrow rate calculations.
Cascading Effects of Incorrect Borrow Rate
Step 1: Incorrect Calculation of the Borrow Rate (rateData.currentUsageRate)
The
calculateBorrowRate()function depends onprimeRate,baseRate,optimalRate, andmaxRate. However, since onlyprimeRateis updated, the mismatch causes the borrow rate to be improperly calculated.If the borrow rate is too low, the protocol underestimates debt accumulation, leading to liquidity risks. Conversely, if the rate is too high, it causes unnecessary borrower liquidation events.
Step 2: Propagation to Reserve and Usage Indices
The incorrect borrow rate directly impacts the usage index through the
updateReserveInterests()function:
The usage index represents the protocol’s cumulative debt growth. A higher-than-expected usage index inflates the perceived borrower debt, while a lower usage index underestimates the protocol’s exposure to risk.
Step 3: Incorrect Debt Calculations in Normalized Debt Estimation
The incorrect usage index affects many calculations dependent on it.
If the usage index is too high, borrowers face higher repayment obligations, increasing the likelihood of defaults and liquidation events. If it is too low, the protocol underestimates its debt exposure, leading to systemic risk.
Step 4: Impact on Liquidity Rate
Additionally, it also affects the determination of the current liquidity rate (
rateData.currentLiquidityRate), which influences how liquidity providers are rewarded for their deposits via the linearly growingreserve.liquidityIndex. Improper rewards can discourage liquidity providers, leading to capital outflows.
Impact
Inaccurate Borrower Obligations: Borrowers may face unrealistic repayment requirements or insufficient debt monitoring, leading to either unexpected defaults or protocol under-collateralization.
Mismanaged Risk Exposure: The protocol’s estimation of risk becomes unreliable, increasing systemic vulnerability to liquidity crises or insufficient capital reserves.
Suboptimal Rewards for Liquidity Providers: The incorrect calculation of liquidity rates discourages deposits and affects the protocol’s ability to maintain sufficient liquidity.
Tools Used
Manual
Recommendations
Consider refactoring as follows:
Lead Judging Commences
ReserveLibrary::setPrimeRate only updates primeRate without adjusting baseRate, optimalRate, and maxRate proportionally, breaking interest rate model and causing incorrect calculations
ReserveLibrary::setPrimeRate only updates primeRate without adjusting baseRate, optimalRate, and maxRate proportionally, breaking interest rate model and causing incorrect calculations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.