Skip to content

Latest commit

 

History

History
53 lines (32 loc) · 2.38 KB

035.md

File metadata and controls

53 lines (32 loc) · 2.38 KB

Fast Khaki Raccoon

High

LendingAssetVault::_updateAssetMetadataFromVault() results in incorrect calculations

Summary

LendingAssetVault::_updateAssetMetadataFromVault() results in incorrect calculations

Root Cause

Upon calling the function mentioned in the summary section, we have the following code:

uint256 _vaultAssetRatioChange = _prevVaultCbr > _vaultWhitelistCbr[_vault]
            ? ((PRECISION * _prevVaultCbr) / _vaultWhitelistCbr[_vault]) - PRECISION
            : ((PRECISION * _vaultWhitelistCbr[_vault]) / _prevVaultCbr) - PRECISION;

The code above is incorrect as it should not have different ways of calculating percentages based on which value is bigger.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No attack path needed, calculations and accounting is completely incorrect when CBR decreases

Impact

Incorrect calculations which result in completely wrong accounting when the CBR has decreased

PoC

The most basic way to explain the issue is based on the fact that the 2 calculations answer different questions:

  • the first one - "What % should the current CBR increase to reach the previous one?"
  • the second one - What % did the previous CBR increase from the previous to the current CBR?"

Secondly, let's plug in some numbers:

  • the CBR has increased twice, (1e18 * 200 / 100) - 1e18 = 1e18, thus the utilized assets will double
  • the CBR has decreased by 50%, (1e18 * 200 / 100) - 1e18 = 1e18, thus the utilized assets will go to 0

Clearly, the second calculation is incorrect, the CBR only decreased by 50% but the utilized assets go to 0.

Thirdly, if we imagine that the CBR went up from 100 to 150, the calculation would be (1e18 * 150 / 100) - 1e18 = 5e17. If it instead increases this way: 100 -> 110 -> 120 -> 130 -> 140 -> 150, then the calculations would not change (will not plug in numbers here as the report will get very long, you can either trust me or calculate it on your own) and the end result for the utilized assets would be the same. However, if we do a similar thing for a decreasing CBR: 150 -> 140 -> 130 -> 120 -> 110 -> 100, this does not lead to the same calculation as if the CBR simply dropped by 50% in one go which should not be the case - the end CBR is the same in both cases so the utilized assets should also be the same.

Mitigation

Refactor the formula