Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect Total Debt Computation in `ReserveLibrary` Leading to Faulty Utilization, Borrow, and Liquidity Rate Calculations

xcrypt

Summary

The ReserveLibrary contract has a critical bug in its debt calculation mechanism, which adversely affects the computation of the utilization rate as well as the resulting borrow and liquidity rates. Specifically, the getNormalizedDebt function erroneously computes debt using compounded interest rather than returning the actual debt value. This miscalculation distorts the utilization rate, leading to incorrect rates that impact the lending and borrowing operations of the protocol.

Vulnerability Details

Issue:
The getNormalizedDebt function currently calculates total debt as follows:

return calculateCompoundedInterest(rateData.currentUsageRate, timeDelta).rayMul(reserve.usageIndex);

This method incorporates compounded interest via the usageIndex, which means the value returned reflects an interest factor rather than the actual debt. The correct approach should be to calculate the debt as:

return reserve.usageIndex.rayMul(reserve.totalUsage);
Affected Calculations:
The utilization rate in functions like getBorrowRate and getLiquidityRate relies on the output of getNormalizedDebt. Since this function returns an incorrect value, the resulting utilization rate, as well as the borrow and liquidity rates, are miscalculated.

Impact

Faulty Utilization Rate:
The utilization rate will be computed based on an inflated or distorted total debt value, leading to inaccurate calculations.
Erroneous Borrow and Liquidity Rates:
Borrowers might face incorrect interest rates, and liquidity providers could receive improper incentives due to the miscalculation.
Financial Discrepancies:
Users may overpay or receive less than expected, causing significant financial imbalances within the system.

Tools Used

Manual Code Review

Recommendations

Correct the Debt Calculation:
Update the getNormalizedDebt function to return the true debt amount:

return reserve.usageIndex.rayMul(reserve.totalUsage);
Revise the Utilization Rate Formula:
Modify the calculation in getBorrowRate and getLiquidityRate to utilize the corrected debt value:

uint256 utilizationRate = calculateUtilizationRate(reserve.totalLiquidity, reserve.usageIndex.rayMul(reserve.totalUsage));
Recompute Rates:
After using the correct total debt in the utilization rate, recalculate the borrow and liquidity rates to ensure they accurately reflect the underlying economics.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

getNormalizedDebt doesn't return total debt but only the index, causing incorrect utilization and interest rate calculations

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

getNormalizedDebt doesn't return total debt but only the index, causing incorrect utilization and interest rate calculations

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!