Clever Burgundy Poodle
Medium
LendingPool::setBorrowingRateConfig does not apply the borrowingRateConfig instantly because it doesn't call ReserveLogic::updateState and ReserveLogic::updateInterestRates
The missing calls to updateState and updateInterestRates from LendingPool::setBorrowingRateConfig results in the update not having an immediate effect on the borrowingRateConfig and instead waits for the next action to update it
In LendingPool::setBorrowingRateConfig the code updates the current configuration for the borrowing and utilization rates:
https://github.com/sherlock-audit/2025-02-yieldoor/blob/main/yieldoor/src/LendingPool.sol#L348-L358
https://github.com/sherlock-audit/2025-02-yieldoor/blob/main/yieldoor/src/LendingPool.sol#L241-L259
This function fails to call updateState() and updateInterestRates() meaning that the new rates configured will not be applied immediately and for the period between now until the next action that will update the state, the old borrowingRate will be used.
N/A
N/A
- Reserve is deployed with a specific borrowingRateConfig
- After some time, the protocol wants to update this borrowingRateConfig and calls
LendingPool::setBorrowingRateConfig() - However, this new borrowingRateConfig will not be actually used until an action on the LendingPool is performed.
The impact of this vulnerability is that the protocol will actually have not control of when the new borrowingRateConfig will be actually activated. For the meantime between the setBorrowingConfigRate call until the next action on the LendingPool which will update the interest rates, the previous borrowing rate config will be used. This means that the protocol can lose funds in case they want to increase the interest rate, or will overcharge the users in case they want to decrease the interest rate.
N/A
Call updateState() and updateInterestRates() in LendingPool::setBorrowingRateConfig() to ensure that the new borrowing rate config is applied immediately.