Summary

The calculateCompoundedInterest() function incorrectly calculates ratePerSecond using:

However, SECONDS_PER_YEAR is not in RAY format, leading to a significant miscalculation in ratePerSecond. This results in the contract tracking much higher compounded debt than intended—by approximately 20 orders of magnitude.

Vulnerability Details

• The function calculates interest per second by dividing the annual rate by SECONDS_PER_YEAR (31,536,000).

• rate is a RAY value (1e27 precision), but SECONDS_PER_YEAR is a normal integer (1e0 precision).

• The operation rate.rayDiv(SECONDS_PER_YEAR) does not properly scale SECONDS_PER_YEAR to RAY precision, effectively multiplying the interest rate instead of dividing it correctly.

• This leads to excessively high interest accumulation, affecting debt tracking and repayment logic.

For example, let's say the rate is 1.01e27. rayDiv operation will yield the following:

• rayDiv(1.01e27,31536000) = 3.23471588e46

Impact

Severity: High

• Users will be charged significantly more debt than they should be, leading to incorrect liquidations and funds being drained unfairly.

• This affects all borrowers in the system and may result in protocol insolvency if excess interest accumulates uncontrollably.

• If this issue is not fixed, all debt calculations in the contract are unreliable, breaking core lending logic.

Tools Used

• Manual code review

Recommendations

Adhere to Aave's implementation of this function as seen here https://github.com/aave/aave-protocol/blob/4b4545fb583fd4f400507b10f3c3114f45b8a037/contracts/libraries/CoreLibrary.sol#L413C2-L424C5

Use a normal div operation instead of rayDiv for ratePerSecond