Loss of precision in interest rate calculation leads to incorrect borrowing rates
Summary
The calculateCompoundedInterest() function performs division before multiplication when calculating interest rates, leading to precision loss that compounds over time and results in incorrect borrowing rates.
Vulnerability Details
In ReserveLibrary::calculateCompoundedInterest(), the rate per second is calculated by dividing the annual rate by seconds per year before multiplying by the time delta:
This approach loses precision because Solidity truncates decimal places during division. The loss is amplified because:
The result is used as an exponent in interest calculations
The error compounds over time as interest accrues
The precision loss affects all subsequent calculations that depend on the interest rate
Proof of Concept
Assume an annual rate of 5% (5e27 in RAY)
Current calculation:
ratePerSecond = 5e27 / 31536000 ≈ 158,548,959,918,823 (truncated)exponent = 158,548,959,918,823 * timeDeltaCorrect calculation:
exponent = (5e27 * timeDelta) / 31536000The difference grows exponentially due to the exponent calculation
Impact
Borrowers receive incorrect interest rates that deviate from intended rates
Protocol calculations are inaccurate
Protocol will receive less than it should
Recommendation
Reorder operations to multiply before dividing:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.