Every time borrow, the interest is treated as a loan to calculate the interest

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/VToken.sol#L896-L897

Vulnerability details

Impact

File: VToken.sol
 896         uint256 accountBorrowsPrev = _borrowBalanceStored(borrower);
 897         uint256 accountBorrowsNew = accountBorrowsPrev + borrowAmount;

After each loan, the original interest will be converted into the loan amount. This can cause interest to increase more than expected, especially if the rate is very large.

Proof of Concept

Assuming an interest rate of 1% per day. The user borrows 100 USD first, and then borrows 100 USD after 50 days.

• expect:

  debt = 100 + 100 1% 100 days + 100 + 100 1% 50 days = 100 + 100 + 100 + 50 = 350

• actual:

  debt1 = 100 + 100 1% 100 days = 200

  debt2 = (200+100) + (200+100) 1% 50 = 450

Total debt is 450 - 350 = 100 higher

Tools Used

manual

Recommended Mitigation Steps

Don't turn interest into a loan

Assessed type

Other

[c4-judge]

0xean marked the issue as unsatisfactory: Insufficient quality