DrakeEvans
commented
2 years ago Interest is calculated prior to changing utilization, using the last blocks data. This will not work as the flash attacked values are not used in the calculation.
Closed code423n4 closed 2 years ago
DrakeEvans
commented
2 years ago Interest is calculated prior to changing utilization, using the last blocks data. This will not work as the flash attacked values are not used in the calculation.
gititGoro
commented
2 years ago Protocol is robust to flash manipulation of utilization. Marking invalid.
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L409
Vulnerability details
Impact
function _addinterst()uses the interest rate immediately generated by the current block first transaction calculated,it will cause some interest lose.Proof of Concepmt
function _addinterst()uses the interest rate immediately generated by the current block to calculate. If user sends first transaction in this pool,he can use flash swap or flash loan to manipulate pool utilization and it always can let current interest rate to almost min rate(linear interest rate calculation) or low rate(varibale interest calculation),avoid dropping some interest that should have been charged the dropping amount,the amount of interest lost is positively correlated with the length of time the pool has not received transactions.Tools Used
use official hardhat config to test this vulnerability.
Recommended Mitigation Steps
The interest rate average for a period of received transactions and actually calculated interest rates can be used as the final rate.