Reserve interests update persist without yield generation could lead to inaccurate accounting
Summary
Missing check that the currentLiquidityRate and the currentUsageRate of the Lending Pool is zero. The reserve continues to update users accured interest over time even when there is no revenue being generated.
Vulnerability Details
In the ReserveLibrary.sol, the reserve interests are updated when updateReserveInterests is invoked. This is goining to be happening on every available functions in the Lending Pool so that appropriate interest are accumulated. However, the issue arises when the reserve interests update persists when the pool is not generating enough revenue to cover for interest generated by the depositors.
In comparison to an Aave Lending Pool implementation with shares some similar features, there is a check to ensure that reserve indexes are updated only when the current liquidity and usage rate are non-zero.
See:
Impact
Protocol might turn bankrupt if they do not generate enough income to pay depostors of the reserve asset token.
Tools Used
Manual review.
Recommendations
Add checks to confirm that the current liquidity rate and current usage rate is greater than 0 before updating the liquidity and usage index are updated.
Lead Judging Commences
LendingPool's usageIndex compounds at baseRate even when no debt exists, creating artificially high starting interest for future borrowers and discouraging protocol adoption
LendingPool's usageIndex compounds at baseRate even when no debt exists, creating artificially high starting interest for future borrowers and discouraging protocol adoption
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.