getNormalizedDebt and getNormalizedIncome will return stale indices
Summary
Whenever the getNormalizedDebt/income is called the current value in the reserve.usageIndex is returned. This is wrong since the usageIndex changes according to time and should be updated before returning.
Vulnerability Details
It can be seen that the liquidty index depends on the time linearly (and the borrow index exponentially). So whenever the getNormalizedIncome (or getNormalizedDebt) is called, the value must be updated before returning reserve.usageIndex. Else the stale value will be returned. This causes issues everywhere that usageIndex/liquidityIndex is used externally. For example: in the emission rate calculation in the stabilityPool, the normalizedDebt is used which will cause an incorrect amount of RAAC token emitted thus resulting in incorrect rewards being distributed.
Impact
many impacts are present, one of them is the incorrect RAAC tokens distributed as rewards in the stabilityPool
Tools Used
manual review
Recommendations
Update the usageindex and liquidity index in the get functions before returning them.
Lead Judging Commences
LendingPool::getNormalizedIncome() and getNormalizedDebt() returns stale data without updating state first, causing RToken calculations to use outdated values
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.