Summary

The LendingPool.sol contract calculates deposit and borrow interest using different methodologies—linear for deposits and compound for borrows. This mismatch leads to rounding errors, creating small, unclaimable dust balances in the protocol.

Key Exploit Risks:

1. Users lose funds due to dust accumulation

2. Depositors receive less than expected over time

3. Borrowers may not repay full debt, leading to under-collateralization

4. Protocol balance inconsistencies (misaligned accounting)

If left unchecked, this issue drains liquidity pools, leaves user funds stranded, and exposes the protocol to insolvency risks.

Vulnerability Details

1. Interest Calculation Uses Two Different Models

Deposits use a Linear Interest Model

• Interest grows at a constant rate over time.

• This method is simple but inaccurate for long-term deposits.

📌 Borrows use a Compound Interest Model

• Interest is reinvested into the principal.

• The debt grows exponentially rather than linearly.

The Problem:

1. When a user deposits funds, the system applies linear interest.

2. When a user borrows, the system applies compound interest.

3. Over time, the interest values drift apart, creating small leftover balances ("dust") that cannot be claimed or withdrawn.

2. How Attackers Can Exploit This

Attackers can abuse this mismatch in the following ways:

Attack Scenario 1: Draining Liquidity via Interest Dust

1. The attacker deposits a small amount of USDC into the lending pool.

2. The attacker borrows a large amount using an NFT as collateral.

3. Due to compound rounding mismatches, their borrow balance may be lower than expected.

4. The attacker pays slightly less than they borrowed but keeps the extra borrowed funds.

5. The protocol loses money over time, leading to bad debt accumulation.

Attack Scenario 2: Exploiting Dust to Manipulate Liquidation

1. A borrower intentionally accumulates "dust" balances by borrowing and repaying multiple times.

2. The protocol fails to register small unpaid dust amounts, incorrectly marking the loan as "fully paid."

3. The borrower walks away without fully repaying their debt, leaving lenders at a loss.

Proof of Concept (PoC) Exploit Script

This PoC demonstrates how a borrower can underpay debt due to the rounding mismatch.

Expected Outcome

• The attacker keeps extra borrowed funds due to rounding mismatches.

• The protocol fails to detect underpayment, leading to long-term liquidity loss.

• Over time, dust accumulation leads to protocol insolvency.

Impact

Lost User Funds

• Lenders lose accrued interest that cannot be withdrawn.

• Borrowers pay back less than they owe due to protocol miscalculations.

Liquidity Pool Imbalances

• The mismatch leaves leftover funds ("dust") in liquidity pools, reducing capital efficiency.

Under-Collateralization Risk

• Borrowers appear solvent when they are actually under-collateralized.

Protocol Insolvency

• Over time, dust accumulation drains liquidity pools, making the protocol unable to cover withdrawals.

Tools Used

• Manual Review – Identified mismatched interest models.

• Slither – Detected financial inconsistencies.

• Foundry & Echidna Fuzzing – Simulated long-term dust accumulation.

Recommendations

1. Use Consistent Interest Models

• Apply either linear or compound interest uniformly across deposits and borrows.

• The best approach is to use compound interest for both to match DeFi standards (like Aave).

2. Implement Dust Collection Mechanisms

• Introduce a function to sweep dust balances and redistribute them to depositors.

3. Use Higher Precision Accounting (e.g., 18 decimals for stablecoins)

• Round interest to higher decimal places before applying calculations.

4. Implement a Borrow Health Check Before Liquidation

• Ensure dust balances are properly accounted for before marking loans as fully paid.