Open code423n4 opened 3 years ago
We had a discussion about using stale exchange rates for chi
and rate
for Yield v1, in exchange for a lower gas consumption. We chose then that stale rates were preferable for our use case, and I would expect this to still be the case. However, we will revisit this issue.
We might find that the impact of using stale rates is low enough not to constitute a risk at all.
Handle
shw
Vulnerability details
Impact
The chi oracle in contract
CompoundMultiOracle
calls the functionexchangeRateStored
rather thanexchangeRateCurrent
to get the exchange rate from Compound. However, since the functionexchangeRateStored
does not accrue interest before calculating the exchange rate, the return data could be out-of-date and affect the results of_mature
and_accrual
in the contractFYToken
.Proof of Concept
Referenced code: CompoundMultiOracle.sol#L46 FYToken.sol#L102 FYToken.sol#L125
Recommended Mitigation Steps
Use
exchangeRateStored
in thepeek
function (since it does not allow transactional operations), andexchangeRateCurrent
in theget
function ofCompoundMultiOracle
.