Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-05-VENUS-FINDINGS-ISSUES-438
HistoryMay 15, 2023 - 12:00 a.m.

preBorrowHook and preRepayHook can call updateRewardTokenBorrowIndex with old borrowIndex

2023-05-1500:00:00
Code4rena
github.com
3
updaterewardtokenborrowindex
wrong reward calculation
manual mitigation
JSON

Lines of code

Vulnerability details

Impact

Under normal circumstances, the user calls VToken.borrow, further calls accrueInterest to update borrowIndex, and then calls preBorrowHook to trigger updateRewardTokenBorrowIndex.

But since preBorrowHook is an externl function, an attacker can directly call updateRewardTokenBorrowIndex without updating borrowIndex. Using the old borrowIndex will cause the calculated reward to be wrong

Proof of Concept

The attacker directly calls updateRewardTokenBorrowIndex to calculate the wrong reward

Tools Used

manual

Recommended Mitigation Steps

        // Keep the flywheel moving
        uint256 rewardDistributorsCount = rewardsDistributors.length;

+       vToken.accrueInterest();
        for (uint256 i; i < rewardDistributorsCount; ++i) {
            rewardsDistributors[i].updateRewardTokenBorrowIndex(vToken, borrowIndex);
            rewardsDistributors[i].distributeBorrowerRewardToken(vToken, borrower, borrowIndex);
        }

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON