Under normal circumstances, the user calls VToken.borrow, further calls accrueInterest to update borrowIndex, and then calls preBorrowHook to trigger updateRewardTokenBorrowIndex.
But since preBorrowHook is an externl function, an attacker can directly call updateRewardTokenBorrowIndex without updating borrowIndex. Using the old borrowIndex will cause the calculated reward to be wrong
The attacker directly calls updateRewardTokenBorrowIndex to calculate the wrong reward
manual
// Keep the flywheel moving
uint256 rewardDistributorsCount = rewardsDistributors.length;
+ vToken.accrueInterest();
for (uint256 i; i < rewardDistributorsCount; ++i) {
rewardsDistributors[i].updateRewardTokenBorrowIndex(vToken, borrowIndex);
rewardsDistributors[i].distributeBorrowerRewardToken(vToken, borrower, borrowIndex);
}
Other
The text was updated successfully, but these errors were encountered:
All reactions