Skip to content

Latest commit

 

History

History
57 lines (39 loc) · 3.08 KB

025.md

File metadata and controls

57 lines (39 loc) · 3.08 KB

Obedient Lava Monkey

Medium

Failure to Include Borrowed Amount in liquidityTaken Causes Reserve Imbalances and Incorrect Interest Rates

Summary

A missing inclusion of params.amount in liquidityTaken during interest rate and virtual balance updates will cause reserve imbalances for depositors as the protocol will fail to reflect accurate utilization and interest rates, allowing borrowers to exploit artificially low borrowing costs.

Root Cause

In BorrowLogic.sol, the following call to updateInterestRatesAndVirtualBalance does not account for the borrowed amount (params.amount) in liquidityTaken when params.releaseUnderlying is false:

reserve.updateInterestRatesAndVirtualBalance(
    reserveCache,
    params.asset,
    0, // liquidityAdded
    params.releaseUnderlying ? params.amount : 0 // liquidityTaken
);

The liquidityTaken parameter must always include params.amount, as borrowing reduces available liquidity regardless of the releaseUnderlying flag.
This logic incorrectly skips updating reserve utilization and interest rates for the borrowed amount when releaseUnderlying is false. However, borrowing always reduces available liquidity (liquidityTaken), regardless of whether the underlying asset is physically released. As a result, reserves are left in an inconsistent state with inaccurate utilization rates and miscalculated interest rates.

This is a clear oversight, as the updateInterestRatesAndVirtualBalance function explicitly relies on liquidityTaken to calculate new rates and balances, meaning the omission directly causes reserve imbalances.

Internal Pre-conditions

  1. Borrower calls executeBorrow() with params.releaseUnderlying set to false.
  2. The params.amount borrowed is greater than 0.

External Pre-conditions

  1. The reserve is active and has sufficient liquidity to allow borrowing.
  2. The protocol uses virtual accounting for the reserve (if applicable).

Attack Path

  1. Borrower initiates a borrow transaction with releaseUnderlying set to false.
  2. The borrowed amount is not reflected in liquidityTaken.
  3. The protocol fails to update interest rates and virtual balances accurately.
  4. Borrowers exploit artificially low interest rates, draining liquidity and reducing depositor returns.

Impact

The protocol reserves suffer an imbalance where utilization rates are under-calculated, and interest rates are too low. Borrowers gain unfairly reduced borrowing costs, potentially depleting reserves and diminishing depositor yields.

Mitigation

Update executeBorrow to always include params.amount in liquidityTaken when calling updateInterestRatesAndVirtualBalance.