Using stale cToken exchange rate

[code423n4]

Handle

shw

Vulnerability details

Impact

The chi oracle in contract CompoundMultiOracle calls the function exchangeRateStored rather than exchangeRateCurrent to get the exchange rate from Compound. However, since the function exchangeRateStored does not accrue interest before calculating the exchange rate, the return data could be out-of-date and affect the results of _mature and _accrual in the contract FYToken.

Proof of Concept

Referenced code: CompoundMultiOracle.sol#L46 FYToken.sol#L102 FYToken.sol#L125

Recommended Mitigation Steps

Use exchangeRateStored in the peek function (since it does not allow transactional operations), and exchangeRateCurrent in the get function of CompoundMultiOracle.

[alcueca]

We had a discussion about using stale exchange rates for chi and rate for Yield v1, in exchange for a lower gas consumption. We chose then that stale rates were preferable for our use case, and I would expect this to still be the case. However, we will revisit this issue.

We might find that the impact of using stale rates is low enough not to constitute a risk at all.