Insufficient Validation on Prime Rate Setting
Summary
The setPrimeRate() function in the LendingPool contract lacks an upper bound, allowing a compromised primeRateOracle to incrementally inflate the prime rate beyond reasonable limits. This medium-impact, low-likelihood issue could increase borrow rates, lower user health factors, and trigger unwarranted liquidations, destabilizing borrower positions and benefiting attackers.
Vulnerability Details
The setPrimeRate() function in ReserveLibrary enforces a minimum of 1 and a 5% change limit via PercentageMath.percentMul(), but it has no absolute ceiling. A malicious oracle could raise the rate repeatedly. Example:
Initial primeRate is 1e18 (1% in RAY).
Oracle increases it by 5% three times: 1e18 → 1.05e18 → 1.1025e18.
This elevates currentUsageRate via calculateBorrowRate(), dropping health factors (e.g., from 1.2e18 to below 1e18).
An attacker could then liquidate users, profiting from discounted NFTs (e.g., 10,000 crvUSD worth).
Impact
Borrowers face higher rates and potential liquidations, a medium-impact risk that could lead to significant losses (e.g., 10,000 crvUSD in collateral). The low likelihood depends on oracle compromise, but the absence of an upper bound amplifies the potential for gradual exploitation, threatening system stability.
Tools Used
Manual Code Review: To identify the lack of an upper bound in setPrimeRate().
Recommendations
Add an upper bound to setPrimeRate() in ReserveLibrary:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.