Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Wrong `calculateUtilizationRate` Call

ChainDefenders

Summary

In the ReserveLibrary.sol contract the updateInterestRatesAndLiquidity function calls calculateUtilizationRate. calculateUtilizationRate function expects totalDebt to be in underlying asset units, but it is passed in RAY units in this call. This leads to an incorrect utilization rate, which then results in an incorrect borrow rate calculation.

Vulnerability Details

The vulnerability arises from the updateInterestRatesAndLiquidity function which calls the calculateUtilizationRate function, which calculates the utilization rate of the reserve. This function expects totalDebt to be in underlying asset units. However, in the current implementation of updateInterestRatesAndLiquidity, totalDebt is passed in RAY units. This discrepancy leads to an incorrect utilization rate, which is then used in the calculateBorrowRate function, resulting in an incorrect borrow rate calculation.

Example Scenario

Consider the following scenario:

The totalLiquidity of the reserve is 1,000,000 units.
The totalDebt is 500,000 units, but it is passed in RAY units (500,000 * 10^27).
The calculateUtilizationRate function calculates the utilization rate using the incorrect totalDebt value.
The incorrect utilization rate is then used in the calculateBorrowRate function, leading to an incorrect borrow rate.

This scenario demonstrates how the incorrect units for totalDebt can lead to significant errors in the utilization rate and borrow rate calculations.

Impact

By passing totalDebt in RAY units instead of underlying asset units, the protocol calculates an incorrect utilization rate. This incorrect utilization rate is then used to calculate the borrow rate, leading to inaccurate interest rates for borrowers. This results in financial discrepancies, unfair borrowing conditions, and potential financial instability for the protocol. It undermines the reliability and accuracy of the protocol's interest rate calculations.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, ensure that totalDebt is converted to underlying asset units before passing it to the calculateUtilizationRate function.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

calculateUtilizationRate mixes unscaled totalLiquidity with scaled totalUsage values, causing incorrect utilization rates and interest calculations across the protocol

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

calculateUtilizationRate mixes unscaled totalLiquidity with scaled totalUsage values, causing incorrect utilization rates and interest calculations across the protocol

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.