search

sherlock-audit / 2023-02-surge-judging

4 stars 1 forks source link

minhtrng - Low excess utils causes low interest accrual #271

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

minhtrng

medium

Low excess utils causes low interest accrual

Summary

BorrowRate calculation is based on excess util. This can cause almost non-existing borrow rates even though in surge state.

Vulnerability Detail

The function getBorrowRateMantissa calculates the borrowRate in surgeState like this:

if(_util <= _surgeMantissa) {
    ...
} else {
    uint excessUtil = _util - _surgeMantissa;
    return (_maxRateMantissa - _surgeRateMantissa) * 1e18 * excessUtil / (1e18 - _surgeMantissa) / 1e18 + _surgeRateMantissa; 
}

If the excess util is very low the interest accrued over time will be very low as well. This can simply happen by someone borrowing up to the _surgeMantissa and then accruing interest one block later.

Impact

Reduced yields

Code Snippet

https://github.com/sherlock-audit/2023-02-surge/blob/1d3b83769d14d954478118269e1bcba175462c9c/surge-protocol-v1/src/Pool.sol#L180

Tool used

Manual Review

Recommendation

Calculation of borrow rate probably should have a summand added as a constant instead of just being calculated as a fraction, something like _surgeRate + x/y

Evert0x commented 1 year ago

Closing issue as it's unclear how this affects the protocol is a negative way