Open sherlock-admin opened 1 year ago
Valid issue, although I would disagree with the severity since interest rate models are unlikely to change and we have already deprecated Compound V2 support.
Escalate for 10 USDC
While Compound V2 is intended to be deprecated, a substantial portion of Notional's codebase relied on extensively on this at contest time. Looking at severity guidelines, I think this one should be included as medium
severity because the scenario is considered to be viable, although unlikely.
Medium: There is a viable scenario (even if unlikely) that could cause the protocol to enter a state where a material amount of funds can be lost. The attack path is possible with assumptions that either mimic on-chain conditions or reflect conditions that have a reasonable chance of becoming true in the future. The more expensive the attack is for an attacker, the less likely it will be included as a Medium (holding all other factors constant). The vulnerability must be something that is not considered an acceptable risk by a reasonable protocol team.
Escalate for 10 USDC
While Compound V2 is intended to be deprecated, a substantial portion of Notional's codebase relied on extensively on this at contest time. Looking at severity guidelines, I think this one should be included as
medium
severity because the scenario is considered to be viable, although unlikely.Medium: There is a viable scenario (even if unlikely) that could cause the protocol to enter a state where a material amount of funds can be lost. The attack path is possible with assumptions that either mimic on-chain conditions or reflect conditions that have a reasonable chance of becoming true in the future. The more expensive the attack is for an attacker, the less likely it will be included as a Medium (holding all other factors constant). The vulnerability must be something that is not considered an acceptable risk by a reasonable protocol team.
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Result: Medium Unique Agree with the points raised in the escalation. Considering this a valid medium
xiaoming90
medium
Treasury rebalance will fail due to interest accrual
Summary
If Compound has updated their interest rate model, then Notional will calculate the before total underlying token balance without accruing interest. If this exceeds
Constants.REBALANCING_UNDERLYING_DELTA
, then rebalance execution will revert.Vulnerability Detail
The
TreasuryAction._executeRebalance()
function will revert on a specific edge case whereoracle.getTotalUnderlyingValueStateful()
does not accrue interest before calculating the value of the treasury'scToken
holdings.https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/external/actions/TreasuryAction.sol#L284-L302
cTokenAggregator.getExchangeRateView()
returns the exchange rate which is used to calculate the underlying value ofcToken
holdings in two ways:cToken.exchangeRateStored()
which DOES NOT accrue interest.Therefore, if the interest rate model has changed,
totalUnderlyingValueBefore
will not include any accrued interest andtotalUnderlyingValueAfter
will include all accrued interest. As a result, it is likely that the delta between these two amounts will exceedConstants.REBALANCING_UNDERLYING_DELTA
, causing the rebalance to ultimately revert.It does not really make sense to not accrue interest if the interest rate model has changed unless we want to avoid any drastic changes to Notional's underlying protocol. Then we may want to explicitly revert here instead of allowing the rebalance function to still execute.
Impact
The treasury manager is unable to rebalance currencies across protocols and therefore it is likely that most funds become under-utilised as a result.
Code Snippet
https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/external/actions/TreasuryAction.sol#L284-L302
Tool used
Manual Review
Recommendation
Ensure this is well-understand and consider accruing interest under any circumstance. Alternatively, if we do not wish to accrue interest when the interest rate model has changed, then we need to make sure that
underlyingDelta
does not include this amount asTreasuryAction._executeDeposits()
will ultimately update the vault's position in Compound.