Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

calculateUtilizationRate in ReserveLibrary.sol returns incorrect utilization value

BBnDD

Summary

The function calculateUtilizationRate(uint256 totalLiquidity, uint256 totalDebt) in ReserveLibrary.sol assumes that totalDebt and totalLiquidity are denominated in the same unit. This assumption is incorrect and leads to an inaccurate utilization rate calculation.

This issue arises because totalLiquidity represents the amount of crvUSD available for lending, whereas totalDebt is based on the DebtToken total supply. As a result, the utilization rate can be miscalculated, leading to incorrect interest rate dynamics.

Vulnerability Details

How Liquidity is Tracked

The reserve.totalLiquidity variable represents the amount of crvUSD supplied by lenders and available for borrowing.

This can be confirmed by tracing the deposit flow in LendingPool.sol:

  1. User deposits crvUSD: The deposit(uint256 amount) function takes a crvUSD amount as an argument.

  2. Deposit is processed in ReserveLibrary.sol: The call to ReserveLibrary.deposit() ultimately updates reserve.totalLiquidity by adding or subtracting crvUSD values:

if (liquidityAdded > 0) {
reserve.totalLiquidity += liquidityAdded.toUint128();
}
if (liquidityTaken > 0) {
if (reserve.totalLiquidity < liquidityTaken) revert InsufficientLiquidity(); reserve.totalLiquidity -= liquidityTaken.toUint128();
}

How Debt is Tracked

Borrowing in LendingPool.sol affects reserve.totalUsage, which is updated as follows:

reserve.totalUsage = newTotalSupply;

Here, newTotalSupply corresponds to the total supply of DebtTokens

Impact

calculateUtilizationRate() treats totalLiquidity and totalDebt as if they are directly comparable. However, since totalDebt tracks DebtTokens while totalLiquidity tracks crvUSD, the function is mixing two different value units. This can lead to:

  • Incorrect Interest Rate Calculation: Since utilization rate impacts borrowing costs and lending returns, a miscalculated value can distort interest rates.

  • Potential Economic Exploit: If the system operates under incorrect utilization metrics, it may allow borrowers to exploit cheaper borrowing rates or cause lenders to receive lower-than-expected yields.

  • Risk of Liquidity Mismanagement: An inaccurate utilization rate could lead to improper liquidity management, either locking too much liquidity or failing to control lending properly.

Tools Used

manual review

Recommendations

Ensure Unit Consistency: Convert totalDebt into crvUSD before using it in utilization calculations.

Enhance Documentation: Clearly specify how totalLiquidity and totalDebt are measured to prevent further confusion.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

calculateUtilizationRate mixes unscaled totalLiquidity with scaled totalUsage values, causing incorrect utilization rates and interest calculations across the protocol

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

calculateUtilizationRate mixes unscaled totalLiquidity with scaled totalUsage values, causing incorrect utilization rates and interest calculations across the protocol

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.