This means that if LOAN_TOKEN has low decimals, interest will be rounded to zero if the last accrual time was recent enough.
Let us take for instance a pool with EURS (2 decimals) as their LOAN_TOKEN on the Polygon blockchain. Let us suppose a borrow rate of 5e17 (50%) and a _totalDebt of 150k EURS:
Interest does not accrue properly for pools with low decimal tokens.
This is contingent on the total debt to be low enough, and is more likely to happen in chains with low block times (such as Polygon).
This is quite an issue as low-liquidity pools will essentially push depositors to exit (as interest accrual is lower than expected).
joestakey
medium
Interest will not accrue properly for low decimal tokens
Summary
Interest accrual will not work for pools with a low decimal
LOAN_TOKEN.Vulnerability Detail
Interest is accrued in
getCurrentBalance:The issue is that
totalDebtis inLOAN_TOKENdecimals:This means that if
LOAN_TOKENhas low decimals, interest will be rounded to zero if the last accrual time was recent enough.Let us take for instance a pool with
EURS(2 decimals) as theirLOAN_TOKENon thePolygonblockchain. Let us suppose a borrow rate of5e17(50%) and a_totalDebtof150k EURS:_interest = _totalDebt * _borrowRate * _timeDelta / (365 days * 1e18);= 150e5 * 5e17 * 2 / (31536000 * 1e18)= 15e6 * 1e18 / (31536000 * 1e18)= 0Impact
Interest does not accrue properly for pools with low decimal tokens. This is contingent on the total debt to be low enough, and is more likely to happen in chains with low block times (such as Polygon). This is quite an issue as low-liquidity pools will essentially push depositors to exit (as interest accrual is lower than expected).
Code Snippet
https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L154
Tool used
Manual Review
Recommendation
The best way to tackle this would be to scale all the state variables tracking debt and deposits to 1e18 (
lastTotalDebt, etc).Duplicate of #225