search

code-423n4 / 2023-05-venus-findings

2 stars 1 forks source link

Wrong WhitePaperInterestRateModel block per year calculations incur losses for users and the protocol #527

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/BaseJumpRateModelV2.sol#L23 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/WhitePaperInterestRateModel.sol#L17

Vulnerability details

Vulnerability Details

Blocks per year calculations in WhitePaperInterestRateModel improperly assume 15 seconds block time, while on Binance Smart Chain it’s ~3 seconds. This has grave consequences, because it is used in calculating borrower’s interest rate and liquidity provider supply rate.

WhitePaperInterestRateModel uses following calculations to get blocks per year:

(365*24*60*60)/15 = 2102400

contract WhitePaperInterestRateModel is InterestRateModel {
    uint256 private constant BASE = 1e18;

    /**
     * @notice The approximate number of blocks per year that is assumed by the interest rate model
     */
    uint256 public constant blocksPerYear = 2102400;

However proper calculations are:

(365*24*60*60)/3 = 10512000, which is properly set in BaseJumpRateModelV2:

abstract contract BaseJumpRateModelV2 is InterestRateModel {
    uint256 private constant BASE = 1e18;
    ...
    /**
     * @notice The approximate number of blocks per year that is assumed by the interest rate model
     */
    uint256 public constant blocksPerYear = 10512000;

Impact

Borrowers pay only 20% for borrows, and liquidity providers loose 80% yield for providing assets to the pool. This disincentivizes users from participating in the pools using WhitePaperInterestRateModel. Additionally, this leads to an undesired situation, where users borrow from 5x less expensive markets and provide liquidity using the borrowed funds, leading to market discrepancies (overly exploited whitepaper rate pools, and overly supplied jump rate based pools). Because whitepaper interest rate don’t increase borrow rate together with utilization, it reaches 100%, disallowing LPs to unstake their borrowed assets, effectively locking them in the protocol.

Proof of Concept

  1. Venus team adds new isolated pools: ETH-DAI using whitepaper interest rates, and ETH-USDC using jump rate interest model. Both are having similar amounts of assets after few days after deploying them on mainnet.
  2. Users seeing discrepancies between two pools start to perform arbitrage - borrow on ETH-DAI pool and supplying it to ETH-USDC, earning additional profit risk free.
  3. Utilization ratio in ETH-DAI pool reaches 100%. It’s 5x cheaper than in ETH-USDC, and it’s still profitable, as long as supply rate is bigger than 20% there. Such high utilization means that there are no free funds for ETH-DAI liquidity providers to withdraw their liquidity, effective locking their funds.

Tools Used

Manual analysis

Recommended Mitigation Steps

Update blocksPerYear constant to 10512000:

   uint256 public constant blocksPerYear = 10512000;

Assessed type

Other

c4-judge commented 1 year ago

0xean marked the issue as primary issue

c4-judge commented 1 year ago

0xean marked the issue as duplicate of #559

c4-judge commented 1 year ago

0xean marked the issue as satisfactory

c4-judge commented 1 year ago

0xean changed the severity to 2 (Med Risk)

c4-judge commented 1 year ago

0xean changed the severity to 3 (High Risk)