Interest Rates Updated After Token Transfers Lead to Incorrect Calculations
Summary
A systemic vulnerability exists in the protocol where interest rates are updated after token transfers in critical functions such as deposit, withdraw, borrow, _repay, and finalizeLiquidation in LendingPool contract. This leads to incorrect interest rate calculations, inflated indices, and user financial losses. The issue arises because the utilization ratio (which directly affects interest rates) changes due to token transfers. Still, the interest rates are not updated to reflect these changes before the next user interaction.
Vulnerability Details
In the current implementation, the updateInterestRatesAndLiquidity function is called after token transfers in all critical functions. This means that the utilization ratio (the ratio of total debt to total liquidity) is not updated before the next user interaction, leading to incorrect interest rate calculations. The utilization ratio rises or falls depending on deposits and withdrawals, and the interest rate is directly tied to this ratio. If the interest rate is not updated before token transfers, the next user will interact with the protocol using an outdated utilization ratio, leading to incorrect calculations.
Code Examples
For all the functions below, the interest rate is updated after the token transfer
depositfunction: https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/libraries/pools/ReserveLibrary.sol#L347withdraw: https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/libraries/pools/ReserveLibrary.sol#L386
knowing that the transfer occurs while burning rtokenfinalizeLiquidation: https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L532
We can look at Aave v3's code which the protocol is highly inspired, and we can see that interest rates are always updated before any token transfers to ensure accurate calculations
Impact
The impact of this vulnerability is significant and affects all critical functions in the protocol:
Deposit: The utilization ratio decreases, but the interest rate is not updated. The next user interacting with the protocol will use an outdated (higher) utilization ratio, leading to incorrect interest rate calculations.
Withdraw: The utilization ratio increases, but the interest rate is not updated. The next user interacting with the protocol will use an outdated (lower) utilization ratio, leading to incorrect interest rate calculations.
Borrow: The utilization ratio increases, but the interest rate is not updated. The next user interacting with the protocol will use an outdated (lower) utilization ratio, leading to incorrect interest rate calculations.
Repay: The utilization ratio decreases, but the interest rate is not updated. The next user interacting with the protocol will use an outdated (higher) utilization ratio, leading to incorrect interest rate calculations.
Liquidation: The utilization ratio changes, but the interest rate is not updated. The next user interacting with the protocol will use an outdated utilization ratio, leading to incorrect interest rate calculations.
Tools Used
Manual review
Recommendations
Interest rates should be updated before any token transfers
Note that in the borrow function, interest rates should be updated before token transfer, but after minting debt token
Same for repay function, interest rates should be updated before token transfer, but after burning debt token
Lead Judging Commences
StabilityPool: liquidateBorrower should call lendingPool.updateState earlier, to ensure the updated usageIndex is used in calculating the scaledUserDebt
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.