Small Shamrock Rook
Medium
NumaVault.updateVault() extracts rewards before accruing interest, leading to unfair borrow interest paid
In any lending protocol, all actions which affect the interest rate should be performed AFTER accruing interest so far. This is to ensure that interest is accrued fairly.
For example, if the protocol was untouched for 1 day, and a user was hypothetically able to atomically max out the utilisation ratio before accruing interest for the 1 day, it would cause the borrowers to pay a much high interest rate for the entire day, which does not reflect the actual util ratio over that time period. This is why it's important to accrue interest BEFORE any actions that can change the util ratio / interest rate.
NumaVault.updateVault() extracts rewards before accruing interest, leading to unfair borrow interest paid by LST borrowers.
NumaVault.updateVault() extracts rewards before accruing interest, instead of accruing interest first.
Users borrow LST
No response
- Borrowing actions cause util ratio = 50%
- Then, after a day, rewards are available to be extracted
NumaVault.updateVault() is called
3. First, it calls extractRewardsNoRequire(), which sends rewards to the rwd_address, increasing util ratio to 53%
4. Then, it calls cLstToken.accrueInterest(), which accrues interest for the one day, calculating the interest rate based on the util ratio of 53% (even though the borrows for the whole day were held at a util ratio of 50%).
Borrowers pay more interest unfairly.
Borrowers pay more interest unfairly
No response
Re-arrange the function:
function updateVault() public {
+ // accrue interest
+ if (address(cLstToken) != address(0)) cLstToken.accrueInterest();
// extract rewards if any
extractRewardsNoRequire();
- // accrue interest
- if (address(cLstToken) != address(0)) cLstToken.accrueInterest();
}