Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-05-VENUS-FINDINGS-ISSUES-527
HistoryMay 15, 2023 - 12:00 a.m.

Wrong WhitePaperInterestRateModel block per year calculations incur losses for users and the protocol

2023-05-1500:00:00
Code4rena
github.com
6
vulnerability
binance smart chain
interest rate
borrower
liquidity provider
protocol
utilization ratio
market discrepancies
arbitrage
mitigation steps
isolated pools
JSON

Lines of code
<https://github.com/code-423n4/2023-05-venus/blob/main/contracts/WhitePaperInterestRateModel.sol#L17&gt;

Vulnerability details

Vulnerability Details

Blocks per year calculations in WhitePaperInterestRateModel improperly assume 15 seconds block time, while on Binance Smart Chain it’s ~3 seconds. This has grave consequences, because it is used in calculating borrower’s interest rate and liquidity provider supply rate.

WhitePaperInterestRateModel uses following calculations to get blocks per year:

(3652460*60)/15 = 2102400

contract WhitePaperInterestRateModel is InterestRateModel {
    uint256 private constant BASE = 1e18;

    /**
     * @notice The approximate number of blocks per year that is assumed by the interest rate model
     */
    uint256 public constant blocksPerYear = 2102400;

However proper calculations are:

(3652460*60)/3 = 10512000, which is properly set in BaseJumpRateModelV2:

abstract contract BaseJumpRateModelV2 is InterestRateModel {
    uint256 private constant BASE = 1e18;
    ...
    /**
     * @notice The approximate number of blocks per year that is assumed by the interest rate model
     */
    uint256 public constant blocksPerYear = 10512000;

Impact

Borrowers pay only 20% for borrows, and liquidity providers loose 80% yield for providing assets to the pool. This disincentivizes users from participating in the pools using WhitePaperInterestRateModel. Additionally, this leads to an undesired situation, where users borrow from 5x less expensive markets and provide liquidity using the borrowed funds, leading to market discrepancies (overly exploited whitepaper rate pools, and overly supplied jump rate based pools). Because whitepaper interest rate don’t increase borrow rate together with utilization, it reaches 100%, disallowing LPs to unstake their borrowed assets, effectively locking them in the protocol.

Proof of Concept

  1. Venus team adds new isolated pools: ETH-DAI using whitepaper interest rates, and ETH-USDC using jump rate interest model. Both are having similar amounts of assets after few days after deploying them on mainnet.
  2. Users seeing discrepancies between two pools start to perform arbitrage - borrow on ETH-DAI pool and supplying it to ETH-USDC, earning additional profit risk free.
  3. Utilization ratio in ETH-DAI pool reaches 100%. It’s 5x cheaper than in ETH-USDC, and it’s still profitable, as long as supply rate is bigger than 20% there. Such high utilization means that there are no free funds for ETH-DAI liquidity providers to withdraw their liquidity, effective locking their funds.

Tools Used

Manual analysis

Recommended Mitigation Steps

Update blocksPerYear constant to 10512000:

   uint256 public constant blocksPerYear = 10512000;

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON