search

sherlock-audit / 2022-10-union-finance-judging

4 stars 1 forks source link

ctf_sec - AaveV3Adapter.sol#getRate may be outdated and stale. #122

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

ctf_sec

medium

AaveV3Adapter.sol#getRate may be outdated and stale.

Summary

AaveV3Adapter.sol#getRate may be outdated and stale.

Vulnerability Detail

the function getRate from AaveV3Adapter.sol returns the currentLiqudityRate directly.

function getRate(address tokenAddress) external view override returns (uint256) {
    LendingPool3.ReserveData memory reserveData = lendingPool.getReserveData(tokenAddress);
    return uint256(reserveData.currentLiquidityRate);
}

However, the reservedData.currentLiquidityRate may be outdated or stale.

Let us look into the struct of the ReserveData

    struct ReserveData {
        //stores the reserve configuration
        ReserveConfigurationMap configuration;
        //the liquidity index. Expressed in ray
        uint128 liquidityIndex;
        //the current supply rate. Expressed in ray
        uint128 currentLiquidityRate;
        //variable borrow index. Expressed in ray
        uint128 variableBorrowIndex;
        //the current variable borrow rate. Expressed in ray
        uint128 currentVariableBorrowRate;
        //the current stable borrow rate. Expressed in ray
        uint128 currentStableBorrowRate;
        //timestamp of last update
        uint40 lastUpdateTimestamp;

as we can, we have a field lastUpdateTimestamp. if the lastUpdateTimestamp is too far away from the current timestamp, the stale / oudated rate data may be used.

Impact

the stale rate affects the return value from getMoneyMarket

function getMoneyMarket(address tokenAddress, uint256 marketId)
    external
    view
    override
    returns (uint256 rate, uint256 tokenSupply)
{
    rate = moneyMarkets[marketId].getRate(tokenAddress);
    tokenSupply += moneyMarkets[marketId].getSupplyView(tokenAddress);
}

Code Snippet

https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/asset/AaveV3Adapter.sol#L149-L153

Tool used

Manual Review

Recommendation

We recommend the project check that lastUpdateTimestamp is not too far from the current timestamp.

    LendingPool3.ReserveData memory reserveData = lendingPool.getReserveData(tokenAddress);
   if(reserveData.lastUpdateTimestamp - block.timestamp > interval) revert StalePriceError();
    return uint256(reserveData.currentLiquidityRate);
Evert0x commented 1 year ago

@kingjacob what is your suggested severity?

kingjacob commented 1 year ago

Low, in this version rate isnt used in assetmanager to determine where to deposit. So theres no risk of fund loss or opportunity cost.