Wrong interest can be charged if interest is changed without calling accrue()
Proof of Concept
The function setDebtInterestApr() updates the interest charged on debt without calling accrue() before to compute previous interests. If someone takes debt at 2% and after 1 month no one accrues and interest is changed to 5% user will pay 5% interest for the past month while the interest was 2%
Recommended Mitigation Steps
call accrue() in the beginning of setDebtInterestApr()
spaghettieth
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L212
Vulnerability details
Impact
Wrong interest can be charged if interest is changed without calling accrue()
Proof of Concept
The function setDebtInterestApr() updates the interest charged on debt without calling accrue() before to compute previous interests. If someone takes debt at 2% and after 1 month no one accrues and interest is changed to 5% user will pay 5% interest for the past month while the interest was 2%
Recommended Mitigation Steps
call accrue() in the beginning of setDebtInterestApr()