search

sherlock-audit / 2023-04-jojo-judging

7 stars 4 forks source link

Ocean_Sky - Function getTRate( ) is being computed with very low output, thus resulting to undervaluation of borrowed JUSD. #342

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Ocean_Sky

high

Function getTRate( ) is being computed with very low output, thus resulting to undervaluation of borrowed JUSD.

Summary

The JUSD interest rate mechanism through function getTRate is being computed with very low output. This will bring borrowed JUSD to be under-collateralized.

Vulnerability Detail

First we have to demo first on how getTRate works, let us compute the value of t1Rate (first month) based on assumption of monthly changes on borrowing fee rate, 219,000 blocks of time difference and 1% borrowing fee rate at beginning. Please see the illustration below:

demo

At the end of first month, the borrowed JUSD is valued at 100.0069 JUSD only, which is very low compared with other defi protocols or across crypto industry.

To demonstrate further the issue in 1 year ,let's apply changes on our borrowing fee rate , for example an increase of 25 basis points per month which is slightly close to US federal reserve interest rate changes from year 2022-2023 data. Decided to be comparable with US federal reserve because our stablecoin JUSD is based in USD so most likely the changes should have been patterned with federal reserve changes.

demo2

At the end of the year, we calculated that the value of 100 JUSD borrowed at the beginning of the year, is just 100.1979 JUSD at the end of the year. This is just too low to be compared with other defi protocols and traditional financial institutions.

Impact

tRate value is being used to compute the current value of the loan (principal + interest) and compared it against the current value of collateral assets. If the current value of collateral assets is lower than the current value of the loan, it will trigger liquidation process.

However if the current value of the loan JUSD is not being computed based on or at least close to valuation imposed across defi or crypto industry, liquidation process won't be triggered as it should be and if the liquidation process is not triggered in the correct level, borrowed JUSD will be always remain under-collateralized. There is also a lost of opportunity for liquidators, thus resulting to lost of gains from liquidation process.

Furthermore, implementing interest rate mechanism very different with defi industry will have unintended consequences. After all, the collateral assets being used here still derived value from outside of this protocol and also the value of JUSD is derived from USD.

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/Impl/JUSDBankStorage.sol#L51-L57 https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/Impl/JUSDView.sol#L183-L204

Tool used

VS Code and Manual Review

Recommendation

Change the tRate mechanism to follow a typical valuation of USD stablecoin. Mostly defi protocols imposed APY between 5%-20% on USD stablecoins.

JoscelynFarr commented 1 year ago

JUSD is only used to alleviate the USDC liquidity shortage. Not for the apy