Uninvoked `DebtToken::updateUsageIndex` Function in LendingPool Leads to Stale Data in DebtToken contract
Summary
The updateUsageIndex function in the DebtToken contract is designed to be called by the LendingPool (ReservePool) to update the critical _usageIndex parameter. However, the LendingPool lacks a mechanism to invoke this function, resulting in an outdated _usageIndex.
Vulnerability Details
This updateUsageIndex function update the _usageIndex that must be synchronized with the reserve.usageIndex in the lendingPool contract, While updateUsageIndex is protected by the onlyReservePool modifier, the LendingPool does not call this function.
The _usageIndex is intended to reflect real-time usage metrics (e.g., debt utilization). Without updates from the LendingPool, it becomes obsolete.
Impact
_usageIndex not synchronized with the reserve.usageIndex in the lendingPool contract. As a result, the value returned by getUsageIndex in DebtToken contract be outdated, leading to misaligned calculations.
Tools Used
Manual Review
Recommendations
Call DebtToken.updateUsageIndex(newValue) during key actions in the LendingPool that synchronized with the reserve.usageIndex.
Lead Judging Commences
[INVALID] Unused _usageIndex Variable and updateUsageIndex() Function in DebtToken Contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.