Incorrect Timestamp Update Leading to Inaccurate Interest Calculations and Potential Financial Losses #586
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
edited-by-warden
insufficient quality report
This report is not of sufficient quality
🤖_primary
AI based primary recommendation
🤖_50_group
AI based duplicate group recommendation
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/ApplyInterestLib.sol#L26-L48
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/ApplyInterestLib.sol#L50-L63
Vulnerability details
Impact
When applyInterestForPoolStatus returns an interest rate of 0, pairStatus.lastUpdateTimestamp is still updated.
If there is a valid need to update the interest rate within the same block, the check if (pairStatus.lastUpdateTimestamp >= block.timestamp) prevents this from happening. As a result, the interest rate and protocol fees are not recalculated and updated as needed.
Incorrect or missed interest calculations result in lenders receiving less interest than they are entitled to. Over time, this can accumulate to significant financial losses for lenders.
Incorrect interest calculations also affect the protocol's fee income.
Proof of Concept
Link
Link
POC
The current implementation of the applyInterestForToken function in the Predy protocol can lead to inaccurate interest rate and protocol fee calculations due to the improper update of pairStatus.lastUpdateTimestamp. Here’s a detailed technical explanation:
Interest Calculation Function (applyInterestForPoolStatus) Conditions:
The function applyInterestForPoolStatus may return an interest rate of 0 in the following scenarios:
Issue in applyInterestForToken:
The applyInterestForToken function does not verify whether the interest rate is actually updated before updating pairStatus.lastUpdateTimestamp Code.
As a result, pairStatus.lastUpdateTimestamp can be updated even when the interest rate remains unchanged (i.e., interest rate is 0).
Consequences:
If an attempt is made to update the interest rate within the same block, the check if (pairStatus.lastUpdateTimestamp >= block.timestamp) prevents the function from applying the correct interest rate.
This issue leads to a situation where the interest rate and protocol fees are not updated as needed, causing potential losses in interest earnings and protocol fees.
Example Scenario
Initial Interaction:
A lender supplies tokens at time T0.
applyInterestForToken is called, and applyInterestForPoolStatus returns an interest rate of 0 due to low utilization.
Despite no interest being applied, pairStatus.lastUpdateTimestamp is updated to T0.
Subsequent Interaction within the Same Block:
At time T0 + 5 seconds, another interaction occurs.
applyInterestForToken checks pairStatus.lastUpdateTimestamp (T0) against the current block timestamp.
Since pairStatus.lastUpdateTimestamp >= block.timestamp, the function returns early without recalculating interest, even though conditions might have changed.
Tools Used
Manual Audit
Recommended Mitigation Steps
The
pairStatus.lastUpdateTimestamp
value only updated when there is change in interest rateAssessed type
Other
The text was updated successfully, but these errors were encountered: