Skip to content

Latest commit

 

History

History
43 lines (33 loc) · 2.72 KB

001.md

File metadata and controls

43 lines (33 loc) · 2.72 KB

Shaggy Pistachio Parrot

Medium

Interest Update Sequence Vulnerability Report

Summary

In the _deposit() and _redeem() functions, the interest update is performed after the fund operations. This sequence causes user funds to not benefit from the latest interest rates immediately. This vulnerability can lead to arbitrage opportunities or incorrect calculation of capital utilization.

Vulnerability Detail

The interest update function reserve.updateInterestRates() is called after the minting of yTokens in the _deposit() function and after the redeeming of yTokens in the _redeem() function. This sequence means that the new funds deposited or the funds redeemed do not immediately reflect the updated interest rates.

Impact

  • Deposit Risk: New funds deposited do not immediately earn interest, potentially creating an arbitrage opportunity for sophisticated users who can exploit the lag.
  • Redemption Risk: Users redeeming funds might receive less than they should due to outdated interest calculations.
  • Capital Utilization Calculation: The system might incorrectly calculate the utilization rate of the capital, leading to suboptimal management of the reserve.

Code Snippet

https://github.com/sherlock-audit/2025-02-yieldoor/blob/main/yieldoor/src/LendingPool.sol#L123

// _deposit function fragment
IyToken(reserve.yTokenAddress).mint(onBehalfOf, yTokenAmount);
reserve.underlyingBalance += amount;
reserve.updateInterestRates(); // Interest update after minting

Vulnerable Code

The vulnerability lies in the sequence of operations within the _deposit() and _redeem() functions. Specifically, the interest update is performed after the fund operations, which is contrary to the desired functionality where interest should be updated prior to these operations.

Proof of Concept (PoC)

  1. Scenario 1 (Deposit):

    • User A deposits 100 tokens.
    • The mint function is called to create yTokens.
    • The updateInterestRates function is called afterward.
    • User A's deposited funds do not immediately reflect the latest interest rates, missing out on potential interest earnings.

  2. Scenario 2 (Redemption):

    • User B redeems 50 yTokens.
    • The updateInterestRates function is called after the redemption.
    • User B receives fewer underlying tokens than they should have, based on outdated interest rates.

Conclusion

The current implementation of the _deposit() and _redeem() functions introduces a vulnerability where interest updates are not applied immediately to the funds being deposited or redeemed. This can lead to financial discrepancies and potential exploitation by savvy users. To mitigate this risk, the interest update should precede the fund operations in both functions.