Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Outdated Reserve Indices Causing Incorrect Debt and Income Computation

xcrypt

Summary

The functions getUserDebt, getNormalizedIncome, and getNormalizedDebt rely on reserve indices (liquidityIndex and usageIndex) to calculate user balances and income. However, these indices accrue interest over time, and if they are not updated before querying, users receive outdated values. This can lead to incorrect calculations of user debt, interest earned, and overall financial metrics. The issue can be resolved by ensuring the reserve state is updated before retrieving these values.

Vulnerability Details

Issue

  • The functions getUserDebt, getNormalizedIncome, and getNormalizedDebt fetch values based on reserve.liquidityIndex and reserve.usageIndex.

  • These indices change over time due to interest accrual. If they are not refreshed before being used, the calculations return outdated values.

  • The contract provides an updateReserveState function to refresh the indices, but this function is not called before querying user-related data.

Affected Code

  • The affected functions (getUserDebt, getNormalizedIncome, getNormalizedDebt) use outdated indices, leading to incorrect outputs.

Example of stale data retrieval:

function getUserDebt(address userAddress) public view returns (uint256) {
UserData storage user = userData[userAddress];
return user.scaledDebtBalance.rayMul(reserve.usageIndex);
}

  • Since reserve.usageIndex may not be up to date, the returned debt value may not accurately reflect accrued interest.

Impact

Incorrect Debt and Income Computation

  • Users may receive misleading data when checking their outstanding debt or earned interest.

  • This could result in miscalculations for liquidation thresholds, repayment amounts, and overall financial tracking.

Tools Used

  • Manual code inspection to evaluate how reserve indices are updated and accessed.

Recommendations

Ensure Reserve Indices Are Updated Before Querying

  • Before calling getUserDebt, getNormalizedIncome, or getNormalizedDebt, invoke updateReserveState to ensure the latest values are used.

Example Fix

function getUserDebt(address userAddress) public view returns (uint256) {
ReserveLibrary.updateReserveState(reserve, rateData); // Ensure fresh data
UserData storage user = userData[userAddress];
return user.scaledDebtBalance.rayMul(reserve.usageIndex);
}

Maintain Consistency Across All Functions

  • Any function relying on liquidityIndex and usageIndex should always call updateReserveState before returning data.

  • This ensures that users and other contract functions always work with accurate and up-to-date financial data.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

LendingPool::getNormalizedIncome() and getNormalizedDebt() returns stale data without updating state first, causing RToken calculations to use outdated values

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!