search

code-423n4 / 2024-07-benddao-findings

6 stars 5 forks source link

Protocol should update interest rate after changing rate model in the configurator module #5

Open c4-bot-4 opened 1 month ago

c4-bot-4 commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-07-benddao/blob/main/src/libraries/logic/ConfigureLogic.sol#L526 https://github.com/code-423n4/2024-07-benddao/blob/main/src/libraries/logic/ConfigureLogic.sol#L626

Vulnerability details

Impact

After updating the interest model, the protocol does not update the interest rate, resulting in interest being calculated at the old model rates for some time.

Proof of Concept

The pool admin can change rate model in the Configurator.sol module:

  function executeSetAssetLendingRate(
    address msgSender,
    uint32 poolId,
    address asset,
    uint8 groupId,
    address rateModel_
  ) internal {
    DataTypes.PoolStorage storage ps = StorageSlot.getPoolStorage();

    require(groupId >= Constants.GROUP_ID_LEND_MIN, Errors.INVALID_GROUP_ID);
    require(groupId <= Constants.GROUP_ID_LEND_MAX, Errors.INVALID_GROUP_ID);
    require(rateModel_ != address(0), Errors.INVALID_ADDRESS);

    DataTypes.PoolData storage poolData = ps.poolLookup[poolId];
    _validateCallerAndPool(msgSender, ps, poolData);

    DataTypes.AssetData storage assetData = poolData.assetLookup[asset];
    require(assetData.underlyingAsset != address(0), Errors.ASSET_NOT_EXISTS);
    require(assetData.assetType == Constants.ASSET_TYPE_ERC20, Errors.ASSET_TYPE_NOT_ERC20);

    require(assetData.groupList.contains(groupId), Errors.GROUP_NOT_EXISTS);

    DataTypes.GroupData storage groupData = assetData.groupLookup[groupId];
>>  groupData.rateModel = rateModel_;

    emit Events.SetAssetLendingRate(poolId, asset, groupId, rateModel_);
  }

However, interest rate is not updated, meaning interest will be calculated with the cached old model rates until InterestLogic.updateInterestRates is finally called.

Tools Used

Manual review

Recommended Mitigation Steps

    ---SNIP---

    DataTypes.GroupData storage groupData = assetData.groupLookup[groupId];
    groupData.rateModel = rateModel_;
+   InterestLogic.updateInterestRates(poolData, assetData, 0, 0)

    emit Events.SetAssetLendingRate(poolId, asset, groupId, rateModel_);
  }

Assessed type

Other

c4-judge commented 1 month ago

MarioPoneder marked the issue as duplicate of #7

c4-judge commented 1 month ago

MarioPoneder marked the issue as partial-50

c4-judge commented 1 month ago

MarioPoneder marked the issue as not a duplicate

c4-judge commented 1 month ago

MarioPoneder marked the issue as primary issue

MarioPoneder commented 1 month ago

Different instance than #7.

c4-judge commented 1 month ago

MarioPoneder marked the issue as satisfactory

c4-judge commented 1 month ago

MarioPoneder marked the issue as selected for report

thorseldon commented 1 month ago

Fixed at here: https://github.com/BendDAO/bend-v2/commit/2a3d10adcd879b70835e8f1dcf9408b2fc817021

thorseldon commented 1 month ago

We suggest adjust the severity level to Low Risk or Information.

Because there's many TX action will frequently trigger to update the interest index, e.g. borrow/repay. And we check the same logic exist in Aave V2 & V3.

MarioPoneder commented 1 month ago

Thanks for adding that clarification!

Similar case as in #7. The same reasoning applies here.