Evert0x
commented
1 year ago Closing issue as it's unclear
- How described impact affects protocol in a negative way
- How describe state can happen on chain
Closed github-actions[bot] closed 1 year ago
Evert0x
commented
1 year ago Closing issue as it's unclear
minhtrng
medium
BorrowRate can exceed ceiling
Summary
BorrowRate can be much higher than the rate ceiling for collateralRatios larger than 1.
Vulnerability Detail
The blog states an example of a pool that starts with a collateralRatio of 50. Such pools can make sense if one unit of the collateral token is worth much more than 1 unit of the loan token. In such pools the utilization will also be bigger than 1 (or 100%). This is not considered in the borrowRate calculation and can cause larger borrow rates than expected:
Impact
BorrowRate is not actually capped at 10000% APR and can spiral out of control.
Code Snippet
https://github.com/sherlock-audit/2023-02-surge/blob/1d3b83769d14d954478118269e1bcba175462c9c/surge-protocol-v1/src/Pool.sol#L180
Tool used
Manual Review
Recommendation
cap the borrowRate to the
RATE_CEILINGin the borrow rate calculation.