Skip to content

Latest commit

 

History

History
39 lines (25 loc) · 2.33 KB

056.md

File metadata and controls

39 lines (25 loc) · 2.33 KB

Obedient Lava Monkey

Medium

Setting reserveFactor to 100% Eliminates Liquidity Provider Yield and Risks Protocol Liquidity Drain

Summary:
If the reserveFactor is set to 100%, all interest accruals are directed to the treasury, effectively eliminating future yield for liquidity providers. While this is handled correctly in the code, it creates significant economic risks as liquidity providers lose incentives to supply liquidity, potentially destabilizing the protocol.

Root Cause:
In _accrueToTreasury in ReserveLogic.sol, the function calculates the portion of accrued interest to allocate to the treasury using totalDebtAccrued.percentMul(reserveCache.reserveFactor). When reserveFactor is set to 100% (10,000 basis points), the entire accrued interest is allocated to the treasury. This results in the currLiquidityRate becoming 0, meaning liquidity providers earn no yield on their deposits. The protocol allows this configuration without enforcing an upper limit on reserveFactor, leaving it vulnerable to governance misconfiguration or malicious action.

Internal Pre-conditions:

  • The admin or governance sets the reserveFactor to exactly 100% using the reserve configuration.

External Pre-conditions:

  • The protocol operates normally with interest accrual on reserves (e.g., borrow interest from users).

Attack Path:

  1. The admin sets the reserveFactor to 100%.
  2. All accrued interest is directed to the treasury, and the currLiquidityRate becomes 0.
  3. Liquidity providers stop earning any yield on their deposits, discouraging participation.
  4. Reduced liquidity in the protocol impacts the protocol's ability to service loans or support user operations.

Impact:
Liquidity providers earn no yield, leading to reduced incentives for depositing funds into the protocol. Over time, this can result in a liquidity exodus, impairing the protocol's ability to function effectively. The protocol could also suffer reputational harm due to governance misconfiguration risks.

Mitigation:
Enforce a maximum cap on reserveFactor (e.g., 90%) to ensure that at least a portion of the interest is always distributed to liquidity providers.