Impossible to update liquidity index within RToken contract
Summary
There is updateLiquidityIndex() within RToken.sol, it suppose to update the index to match with LendingPool.sol contract one. updateLiquidityIndex() have onlyReservePool modifier (which let only to lending pool contract to call this function). Meanwhile LendingPool doesn't have ability to call updateLiquidityIndex().
Vulnerability Details
RToken.sol
Within LendingPool.sol contract there is no way to call updateLiquidityIndex() from RToken, it's not implemented in any of subcall. This lead us to situation where we won't be able to update such parameter in RToken.
Impact
If protocol decide to update liquidity index - it won't be possible, essentially is dos of important setter function.
Tools Used
Manual review
Recommendations
add setter function to LendingPool.sol to ensure you could change liquidity index in RToken contract
Lead Judging Commences
RToken::updateLiquidityIndex() has onlyReservePool modifier but LendingPool never calls it, causing transferFrom() to use stale liquidity index values
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.