Core Contracts

Summary

In the ReserveLibrary.sol contract the setPrimeRate function allows the maxChange limit to be surpassed with multiple calls, potentially leading to significant changes in the prime rate without proper control. Implementing a timelock for the change can mitigate this issue.

Vulnerability Details

The vulnerability arises from the setPrimeRate function, which enforces a maximum change (maxChange) of 5% for the prime rate. However, this limit can be bypassed by making multiple calls to the function, each changing the prime rate by up to 5%. This allows for significant changes in the prime rate over a short period, which can destabilize the protocol's interest rate calculations and financial stability.

Example Scenario

Consider the following scenario:

1. The current prime rate is 10%.

2. The maxChange limit is set to 5%, allowing a maximum change of 0.5% per call.

3. An attacker or malicious actor makes multiple calls to the setPrimeRate function, each changing the prime rate by 0.5%.

4. After 10 calls, the prime rate has changed by 5%, bypassing the intended maxChange limit.

This scenario demonstrates how the maxChange limit can be bypassed with multiple calls, leading to significant changes in the prime rate.

Impact

By allowing the maxChange limit to be bypassed with multiple calls, the protocol risks destabilizing its interest rate calculations and financial stability. Significant changes in the prime rate over a short period can lead to unpredictable interest rates, affecting borrowers and lenders. It undermines the protocol's ability to maintain a stable and predictable financial environment, potentially leading to financial losses and loss of trust among users.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, implement a timelock mechanism for changes to the prime rate. This ensures that changes to the prime rate are spaced out over time, preventing rapid and significant changes.