Core Contracts

Summary

The borrow() function allows users to take out loans without without considering the protocol utilization rate (i.e., the ratio of borrowings to total deposits).

• Borrowers can continue to withdraw finds even if liquidity is critically low

• High utilization can trap lenders by preventing withdrawals

• The protocol might fail to liquidate bad debts due to lack of available liquidity.
  Since interest rate and borrowing limits should scale with utilization, the lack of utilization check makes it easy to for whales to drain liquidity harming the protocol’s sustainability

Vulnerability Details

The protocol has plenty of liquidity and a low borrowing rate.

• An attackers borrows a large amount without restrictions

• This drains liquidity, making it impossible for lenders to withdraw

• The attackers can now manipulate interest rates, making borrowing expensive for new users

• if the market conditions worsen, borrowers default, and the protocol has no funds left to cover bad debt leading to insolvency.

Impact

• Liquidity crisis: If utilization reaches 100%, no funds remain for withdrawals, leading to lender losses and possible liquidation failures.

• interest rate manipulation: attackers can artificially push utilization up by borrowing large amounts, making future loans unaffordable.

Tools Used

Manual Review

Recommendations

• Enforce a utilization cap (e.g., 90%) before allowing new borrowing

• Dynamically adjust borrowing rates based on utilization to discourage excessive borrowing