n33k - Vault: _update_debt does not accrue interest

[sherlock-admin]

n33k

medium

Vault: _update_debt does not accrue interest

Summary

_update_debt call _debt_interest_since_last_update to accrue interest but _debt_interest_since_last_update always return 0 in _update_debt.

Vulnerability Detail

_update_debt sets self.last_debt_update[_debt_token] to block.timestamp and then calls _debt_interest_since_last_update.

def _update_debt(_debt_token: address):
    ....
    self.last_debt_update[_debt_token] = block.timestamp
    ....
    self.total_debt_amount[_debt_token] += self._debt_interest_since_last_update(
        _debt_token
    )

_debt_interest_since_last_update always returns 0. because block.timestamp - self.last_debt_update[_debt_token] is always 0.

def _debt_interest_since_last_update(_debt_token: address) -> uint256:
    return (
        (block.timestamp - self.last_debt_update[_debt_token])
        * self._current_interest_per_second(_debt_token)
        * self.total_debt_amount[_debt_token]
        / PERCENTAGE_BASE
        / PRECISION
    )

Impact

Debt fee is not accrued.

Code Snippet

https://github.com/sherlock-audit/2023-06-unstoppable/blob/main/unstoppable-dex-audit/contracts/margin-dex/Vault.vy#L1050-L1076

Tool used

Manual Review

Recommendation

Call _debt_interest_since_last_update then update last_debt_update.

[Unstoppable-DeFi]

Unstoppable-DeFi/unstoppable-dex-audit#7

[0x00ffDa]

Escalate for 10 USDC.

I believe this should be high severity.
This flaw results in definite loss of funds for the protocol and LP providers: zero revenue from all debts, no special circumstances needed.

[sherlock-admin2]

Escalate for 10 USDC.

I believe this should be high severity.
This flaw results in definite loss of funds for the protocol and LP providers: zero revenue from all debts, no special circumstances needed.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[141345]

Recommendation:
keep the original judging.

Escalate for 10 USDC.

I believe this should be high severity. This flaw results in definite loss of funds for the protocol and LP providers: zero revenue from all debts, no special circumstances needed.

The loss is on interest, not big loss in principal, the amount might not be considered "material loss of funds".

I think medium is appropriate.

[Nabeel-javaid]

IMO, high is appropriate is it is bricking the core functionality of interest. There is no point of lending when there is no interest on it.

[0xpinky]

interest is core concept in lend and borrow, flawed interest updates would brick one of the core functions. when we look at this over a period of time, the loss would have incurred is huge..
High is appropriate.

[hrishibhat]

Result:
High
Has duplicates
Considering this issue a valid high for two reasons:

• It breaks the core functionality of accruing interest on debt.
• Leading loss of revenue for protocol and LP.

[sherlock-admin2]

Escalations have been resolved successfully!

Escalation status:

• 0x00ffDa: accepted

[maarcweiss]

Fixed by calling last_debt_update after _debt_interest_since_last_update