Skip to content

Latest commit

 

History

History
65 lines (40 loc) · 2.92 KB

060.md

File metadata and controls

65 lines (40 loc) · 2.92 KB

Petite Porcelain Scorpion

Medium

An admin misconfiguration will cause unexpected interest charges for borrowers

Summary

The missing check in setBorrowingRateConfig will cause an unexpected nonzero interest rate at zero utilization for borrowers as an admin can set utilizationA to 0

Root Cause

https://github.com/sherlock-audit/2025-02-yieldoor/blob/main/yieldoor/src/libraries/InterestRateUtils.sol#L25

https://github.com/sherlock-audit/2025-02-yieldoor/blob/b5a0f779dce4236b02665606adb610099451a51a/yieldoor/src/LendingPool.sol#L236

In calculateBorrowingRate there is no validation to ensure the borrowing rate is 0 when utilizationRate is also 0

If the Admin sets utilizationA to 0, when he is configuring the borrowing rate, if we have utilizationRate of 0 and utilizationA is 0 (as set by the admin), we will return borrowingRateA when it should be 0.

Internal Pre-conditions

  1. Admin sets utilizationA to 0 in the borrowing rate configuration.
  2. Reserve utilization is 0%.

External Pre-conditions

No external conditions are required since this vulnerability is due solely to an internal misconfiguration.

Attack Path

  1. Admin calls setBorrowingRateConfig with utilizationA set to 0.
  2. The system initializes the reserve with a nonzero borrowingRateA.
  3. When utilization is 0, thecalculateBorrowingRate function returns borrowingRateA instead of 0, causing unexpected interest accrual.

Impact

The borrowers suffer unexpected interest charges even when no funds are borrowed, which may lead to increased costs and user dissatisfaction.

PoC

        function test_calculateBorrowingRate_returns_borrowingRateA_when_utilizationRate_is_0() public {
                // Set up the interest rate configuration with utilizationA = 0.
                // This misconfiguration should cause the function to return borrowingRateA even at 0% utilization.
                configStorage = DataTypes.InterestRateConfig({
                    borrowingRateA: 0.05e27,
                    utilizationA: 0,
                    borrowingRateB: 0.1e27,
                    utilizationB: 0.5e27,
                    maxBorrowingRate: 0.2e27
                });
        
                uint256 utilizationRate = 0;
                uint256 result = InterestRateUtils.calculateBorrowingRate(configStorage, utilizationRate);
        
                // Expected behavior: at 0% utilization, the borrowing rate should be 0.
                // Actual behavior: returns borrowingRateA (0.05e27) because utilizationA is 0.
                assertEq(result, configStorage.borrowingRateA);
            }

Mitigation

Add a validation check in setBorrowingRateConfig to ensure that utilizationA is greater than 0. Alternatively, modify calculateBorrowingRate to return 0 when the utilization rate is 0, regardless of configuration.