Manipulation of target utilization via flash loans
Summary
Lack of withdrawal penalty for early collateral removals poses a risk of manipulation through flashloans despite EMA usage.
Vulnerability Detail
The Master Spec document describes how the manipulation of interest rates is meant to be deterred. For quote token deposits, a withdrawal penalty is applied for removals within 24h of deposits:
// apply early withdrawal penalty if quote token is removed from above the PTP
if (depositTime != 0 && block.timestamp - depositTime < 1 days) {
if (removeParams.price > _ptp(poolState_.debt, poolState_.collateral)) {
removedAmount_ = Maths.wmul(removedAmount_, Maths.WAD - _feeRate(poolState_.rate));
}
}
For collateral deposits there is no such penalty, instead the EMA of TU prevents large manipulative collateral deposits (according to the Master Spec document). The idea behind this is that a malicious actor would be required to risk having his collateral in the pool for a prolonged time to manipulate the EMA as well as the related target utilization.
However, due to the fact that the EMA is only recorded every 12 hours, a malcious actor could perform a large collateral deposit using a flash loan (and instantly withdrawing) whenever the update is enabled. This way the EMA for target utilization can be manipulated risk free (except for flash loan fees).
Impact
Manipulation of target utilization to affect interest rates.
minhtrng
medium
Manipulation of target utilization via flash loans
Summary
Lack of withdrawal penalty for early collateral removals poses a risk of manipulation through flashloans despite EMA usage.
Vulnerability Detail
The Master Spec document describes how the manipulation of interest rates is meant to be deterred. For quote token deposits, a withdrawal penalty is applied for removals within 24h of deposits:
For collateral deposits there is no such penalty, instead the
EMA of TU prevents large manipulative collateral deposits(according to the Master Spec document). The idea behind this is that a malicious actor would be required to risk having his collateral in the pool for a prolonged time to manipulate the EMA as well as the related target utilization.However, due to the fact that the EMA is only recorded every 12 hours, a malcious actor could perform a large collateral deposit using a flash loan (and instantly withdrawing) whenever the update is enabled. This way the EMA for target utilization can be manipulated risk free (except for flash loan fees).
Impact
Manipulation of target utilization to affect interest rates.
Code Snippet
https://github.com/sherlock-audit/2023-01-ajna/blob/main/contracts/src/libraries/external/LenderActions.sol#L379-L414
Tool used
Manual Review
Recommendation
Apply a withdrawal fee for early collateral withdrawals as well.
Duplicate of #101