asD creator's would not be able to claim interest accrued due to wrong calculations of the maximumWithdrawable

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The asD contract implement's withdrawCarry method, which calculates the accrued interest on the users NOTE deposit. The variable maximumWithdrawable gets interest accrued by the deposit by the...

Users pay higher fee than intended

Lines of code Vulnerability details Impact Protocol mints incorrect depositAmount and depositShare to protocol. Such that reserveFee is higher than defined. Suppose following scenario: 1. Tranche 2 has 20% APR, has 5000 borrowed 2. Tranche 1 has 10% APR, has 10000 borrowed 3. ReserveFee is 10% 4...

Borrowers can still close loan normally while being defaulted

Lines of code Vulnerability details Borrowers can still close loan normally while being defaulted A borrower can repay a loan normally while having outstanding debt and close it causing losses to the lender. Impact Loans in the Particle protocol are subject to an interest rate defined by the...

Every time borrow, the interest is treated as a loan to calculate the interest

Lines of code Vulnerability details Impact File: VToken.sol 896 uint256 accountBorrowsPrev = borrowBalanceStoredborrower; 897 uint256 accountBorrowsNew = accountBorrowsPrev + borrowAmount; After each loan, the original interest will be converted into the loan amount. This can cause interest to...

Incorrect Calculation of Max Amount of Quote Tokens in moveLiquidity() Function in PositionManager.sol.

Lines of code Vulnerability details Impact The updateInterest function is called before retrieving the fromPosition value from positionsparams.tokenIdparams.fromIndex in the moveLiquidity function. This means that the bucketDeposit value may not reflect the current accrued interest, which can...

Overflow/Underflow in interest calculation caused by lack of timestamp validation in _getInterest() & _getRemainingInterest() function

Lines of code Vulnerability details Impact An attacker could manipulate the last timestamp of a lien in the stack struct to cause an underflow or overflow in the interest calculation. This could result in an incorrect interest amount being calculated, which could lead to incorrect payments being...

Interest is much lower than what it should be

Lines of code Vulnerability details Protocol interest calculation is said in the docs to be as follow: To convert a standard annualized simple interest rate to an Astaria-compatible interest per second value, divide by 3153600031536000 seconds per year and multiply by 10^18 This is not what is...

Unclaimed interest is 0 within 24 hours since the last time that loan is lent or interest is earned for project

Lines of code Vulnerability details Impact When returnToLender is called, the unclaimed interest is calculated as below. uint256 noOfDays = block.timestamp - communityProject.lastTimestamp / 86400; // 246060 /// Interest formula = principal APR days / 365 1000 // prettier-ignore uint256...

Community can lose interest because interest was calculated by days instead of seconds

Lines of code Vulnerability details Impact Community's owner lose amount of interest from project up to half of total interest Proof of concept When builder repay any loan amount by function repayLender or community call function lendToProject, function claimInterest in contract Community will be...

In Community.sol, the interest calculation formula is not correct.

Lines of code Vulnerability details Impact Currently, it calculates interest using the number of days and builders would pay nearly half or less interest than they should. So lenders wouldn't get the interest as expected and it means builders can steal the interest from lenders. Proof of Concept ...

VaultTracker miscalculates compounding interest

Lines of code Vulnerability details Impact VaultTracker neglect previously accrued interest while attempting to calculate new interest. This causes nToken holders to receive less yield than they should. All functions within VaultTracker that calculate interest are affected, including addNotional,...

Loss of funds in an underlying protocol would cause catostrophic loss of funds for swivel

Lines of code Vulnerability details Impact Loss of all user funds Proof of Concept This exploit stems from a quirk in the way that exchange rate is tracked for matured positions. We first need to breakdown how interest is calculate for a matured position. In L124 the yield for a matured position ...

Division before Multiplication May Result In No Interest Being Accrued

Lines of code Vulnerability details Impact There is a division before multiplication bug in NFTVault.calculateAdditionalInterest which may result in no interesting being accrued and will have significant rounding issues for tokens with small decimal places. This issue occurs since an intermediate...

Interest accrued could be zero for small decimal tokens

Lines of code Vulnerability details Details & Impact Interest is calculated as principal.mulborrowRate.multimeElapsed.divYEARINSECONDS.divSCALINGFACTOR; It is possible for the calculated interest to be zero for principal tokens with small decimals, such as EURS 2 decimals. Accumulated interest ca...

Simple interest calculation is not exact

Lines of code Vulnerability details Impact The borrow rate uses a simple interest formula to compute the accrued debt, instead of a compounding formula. pub fn computeinterestraw state: &mut State, blockheight: u64, balance: Uint256, aterrasupply: Uint256, borrowrate: Decimal256, targetdepositrat...