Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nfmelendez - Pool Admin when updates the reserve strategy will mix indexes and rates affecting 7 pool operations #91

Closed
sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Closed

nfmelendez - Pool Admin when updates the reserve strategy will mix indexes and rates affecting 7 pool operations #91

sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 10, 2024
edited by sherlock-admin3
Loading

nfmelendez

Medium

Pool Admin when updates the reserve strategy will mix indexes and rates affecting 7 pool operations

Summary

Mixed liquidityIndex and borrowIndex will cause 7 important operations in zaros not to work properly as pool admin will change the interest rate strategy of a reserve but the problem is that it doesn't update properly for the old strategy before updating the new one.

PoolConfigurator::setReserveInterestRateStrategyAddress is used to change the interest rate strategy for a reserve of a pool at any time. However before applying the change the interest should accrue for the old strategy to avoid inconsistencies in most of the critical operation of Zerolend over the affected pool:

Operation Reason
Accrue To Treasury Mixed borrowIndex
Borrow Mixed borrowIndex
Repay Mixed borrowIndex
Flashloan Mixed liquidityIndex
Liquidation Mixed Both borrowIndex and liquidationIndex
Supply Mixed liquidityIndex
Withdraw Mixed liquidityIndex

Root Cause

PoolConfigurator.sol:105 setReserveInterestRateStrategyAddress change one strategy for another updating the field interestRateStrategyAddress, then is used in ReserveLogic::updateInterestRates to update _reserve.liquidityRate and _reserve.borrowRate. Those 2 fields are use then by ReserveLogic::updateState to update the borrowIndex and the liquidityIndex in a **time range [lastUpdateTimestamp, now]**The time range is important. The problem is that the time range will be t0 + t1 where t0 has liquidityRate and borrowRate from the old strategy and t1 liquidityRate and borrowRate from the new strategy leading to inconsistencies in most of the operation of zerolend.

https://github.com/sherlock-audit/2024-06-new-scope/blob/main/zerolend-one/contracts/core/pool/manager/PoolConfigurator.sol#L105-L111

https://github.com/sherlock-audit/2024-06-new-scope/blob/main/zerolend-one/contracts/core/pool/logic/PoolLogic.sol#L150

Internal pre-conditions

  1. Pool Admin needs to call PoolConfigurator::setReserveInterestRateStrategyAddress

External pre-conditions

None

Attack Path

  1. User Creates Pool
  2. Admin pool update an interest strategy address as result each liquidityIndex and borrowIndex will be mixed.

Impact

liquidityIndex and borrowIndex will be incorrect as will be a result of a mixing rates of the old reserve strategy and the new one leading to 7 pool operations working with incorrect values:

  1. Accrue To Treasury
  2. Borrow
  3. Repay
  4. Flashloan
  5. Liquidation
  6. Supply
  7. Withdraw

PoC

No response

Mitigation

Update indexes and Rates before updating the new interest strategy using:

The flow (cache -> updateState -> updateInterestRates)

Duplicate of #401
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Sep 20, 2024
@sherlock-admin3 sherlock-admin3 changed the title Massive Nylon Vulture - Pool Admin when updates the reserve strategy will mix indexes and rates affecting 7 pool operations nfmelendez - Pool Admin when updates the reserve strategy will mix indexes and rates affecting 7 pool operations Oct 3, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3