search

sherlock-audit / 2023-12-arcadia-judging

19 stars 15 forks source link

zzykxx - Possible griefing attack on lending pools interest rates #187

Closed sherlock-admin2 closed 9 months ago

sherlock-admin2 commented 9 months ago

zzykxx

medium

Possible griefing attack on lending pools interest rates

Summary

A griefer might be able to have a borrower pay more interest than they should.

Vulnerability Detail

When a lending pool is empty or with little liquidity it's possible to transfer the underlying token directly to it, if this is borrowed the interest rate the borrower has to pay will be higher than it should.

Let's suppose there is an empty lending pool with no or little liquidity, a griefer could do the following:

  1. Griefer adds liquidity to the lending pool via Tranche::deposit()
  2. Wait for Alice to borrow part of the liquidity they provided
  3. Griefer frontruns the borrow by removing their liquidity except some weis and then transfer the amount Alice wants to borrow directly to the lending pool
  4. Alice borrow will succeed but the interest rate will be insanely high because the utilization rate is also high: the debt is big and the pool assumes it only has some weis of liquidity

This attack is mitigated by the following factors:

  1. The interest rate is capped at 2^80 (~= 10^24) because of the downcasting in LendingPool::_calculateInterestRate(). The maximum interest is about 100% every 20 days.
  2. The tokens sent directly to the pool by the griefer are effectively lost and can be transferred to the treasury.
  3. The virtual shares implementation in the tranches might prevent the attacker from collecting all of the interest.

Impact

A borrower might have to pay more interest than they should.

Code Snippet

Tool used

Manual Review

Recommendation

Do not allow to borrow more than the total realised liquidity.

Duplicate of #93