Earned interest is not accounted in position's risk value, causing increased debt accumulation
Summary
The protocol allows users to deposit funds on Compound finance, earning interest on the funds and using the funds as collateral.
However this interest is not taken into account when the risk of a position is calculated. As a result, the lending interest won't counterbalance the borrow interest accrued from debt, exposing users to a higher risk of liquidations.
Funds deposited to Compound earn interest. During depositing, the amount of cTokens minted equals to the amount of tokens deposited. However, the exchange rate changes due to accrued earn interest, allowing depositors to redeem their cTokens for more underlying tokens after some time. This interest is generated by the funds users deposit as collateral for borrowing. However, the earned interest is not accounted in the risk calculation of a position, which increases the effect of the borrow interest, eventually forcing users to repay debt while the have enough collateral.
Impact
Debts accrue faster than expected, due to collateral's earned interest rate not being counted in the risk value of a position. Users may be forced to repay their debts while there's enough collateral.
In the getPositionRisk function, consider accruing the interest earned by collateral since it was deposited. This will required tracking the internal exchange rate of a cToken at the moment collateral was added and comparing it to the exchange rate at the moment when the risk of a position is calculated. The difference in rates can be used to compute the actual amount of underlying tokens of a position. This is similar to how the protocol computes ICHI rewards in ICHI farming.
Jeiwan
high
Earned interest is not accounted in position's risk value, causing increased debt accumulation
Summary
The protocol allows users to deposit funds on Compound finance, earning interest on the funds and using the funds as collateral. However this interest is not taken into account when the risk of a position is calculated. As a result, the lending interest won't counterbalance the borrow interest accrued from debt, exposing users to a higher risk of liquidations.
Vulnerability Detail
The liquidate function allows anyone to liquidate a position. A position becomes liquidatable if its risk is above the liquidation threshold. The risk of a position is a ration if its debt to its collateral. When a liquidation is triggered, the borrow interest of a position is accrued. However, the lending interest of the position's collateral is not accrued: when calculating the value of the lended tokens, only the initial lended amount is counted, not the earned interest.
Funds deposited to Compound earn interest. During depositing, the amount of cTokens minted equals to the amount of tokens deposited. However, the exchange rate changes due to accrued earn interest, allowing depositors to redeem their cTokens for more underlying tokens after some time. This interest is generated by the funds users deposit as collateral for borrowing. However, the earned interest is not accounted in the risk calculation of a position, which increases the effect of the borrow interest, eventually forcing users to repay debt while the have enough collateral.
Impact
Debts accrue faster than expected, due to collateral's earned interest rate not being counted in the risk value of a position. Users may be forced to repay their debts while there's enough collateral.
Code Snippet
BlueBerryBank.sol#L485-L488
Tool used
Manual Review
Recommendation
In the
getPositionRiskfunction, consider accruing the interest earned by collateral since it was deposited. This will required tracking the internal exchange rate of a cToken at the moment collateral was added and comparing it to the exchange rate at the moment when the risk of a position is calculated. The difference in rates can be used to compute the actual amount of underlying tokens of a position. This is similar to how the protocol computes ICHI rewards in ICHI farming.Duplicate of #140