Skip to content
This repository has been archived by the owner on Apr 28, 2024. It is now read-only.

mstpr-brainbot - When the new rate model is set the latest interest is not accrued according to the previous rate model #122

Closed
sherlock-admin opened this issue Oct 28, 2023 · 4 comments
Closed

mstpr-brainbot - When the new rate model is set the latest interest is not accrued according to the previous rate model #122

sherlock-admin opened this issue Oct 28, 2023 · 4 comments
Labels
Disagree With (non-)Duplication The sponsor disputed the duplication state of this issue Disagree With Severity The sponsor disputed the severity of this issue Non-Reward This issue will not receive a payout Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Oct 28, 2023
edited by sherlock-admin2
Loading

mstpr-brainbot

medium

When the new rate model is set the latest interest is not accrued according to the previous rate model

Summary

When the new rate model is set the latest interest is not accrued according to the previous rate model which would create an unfair situation for the users.

Vulnerability Detail

Whenever there is a change in the interest rate, the interest first accrues from the latest block to the current block for actions such as repay, borrow, deposit, and redeem. However, when a new rate model is set, the most recent interest does not accrue. Instead, it will accrue based on the current rate model, leading to an unfair and inconsistent interest accrual for users.

As seen here:
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Lender.sol#L59-L64

When the new rate model is set the previous interest is not accrued.

Impact

Unfair accrual of the interest. If the new rate model is significantly different and there are many waiting interest to be accrued this can make the previous interest accrue in the rate model which can make the dripping of the interest unfair for th e lenders and borrowers.

Code Snippet

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Factory.sol#L282-L318

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Lender.sol#L59-L64

Tool used

Manual Review

Recommendation

Accrue the interest before the rate model update via accrueInterest() or the same flywheel with the repay-borrow-deposit-redeem functions (_load() and _save())
@haydenshively haydenshively mentioned this issue Oct 30, 2023
Merged
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Oct 31, 2023
@sherlock-admin2
Copy link
Contributor

2 comment(s) were left on this issue during the judging contest.

panprog commented:

low, because the loss is insignificant and rewards calculations are not exact and prefered to be undercalculated as described by the developers

MohammedRizwan commented:

valid

@haydenshively haydenshively added Disagree With Severity The sponsor disputed the severity of this issue Disagree With (non-)Duplication The sponsor disputed the duplication state of this issue labels Oct 31, 2023
@haydenshively
Copy link

I don't think this is a duplicate of #41, because #41 is talking about using up-to-date liabilities in the Borrower, while this is talking about accruing interest before setting the rateModel in Lender.

That said, I think it's Low severity because governance could only retroactively change 1 week's worth of interest, and anyone could frontrun the governance transaction with an accrueInterest() call to prevent that.

@cvetanovv cvetanovv added Non-Reward This issue will not receive a payout and removed High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Oct 31, 2023
@sherlock-admin2 sherlock-admin2 changed the title Faint Bronze Millipede - When the new rate model is set the latest interest is not accrued according to the previous rate model mstpr-brainbot - When the new rate model is set the latest interest is not accrued according to the previous rate model Nov 7, 2023
@haydenshively haydenshively added the Will Fix The sponsor confirmed this issue will be fixed label Nov 28, 2023
@haydenshively
Copy link

haydenshively commented Nov 28, 2023
edited
Loading

Fixed in aloelabs/aloe-ii#206

@roguereddwarf
Copy link
Collaborator

Mitigation Review:

While this issue is not considered a valid High / Medium as per Sherlock's rules, the protocol team still decided to fix it.

The interest is now accrued before the new RateModel is set. Hence, the issue is fixed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Disagree With (non-)Duplication The sponsor disputed the duplication state of this issue Disagree With Severity The sponsor disputed the severity of this issue Non-Reward This issue will not receive a payout Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@haydenshively @cvetanovv @sherlock-admin @roguereddwarf @sherlock-admin2