borrow
must accrueInterest
first
#66
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Warden finding
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
cmichel
Vulnerability details
The
UToken.borrow
function first checks the borrowed balance and the old credit limit before accruing the actual interest on the market:Thus the borrowed balance of the user does not include the latest interest as it uses the old global
borrowIndex
but the newborrowIndex
is only set inaccrueInterest
.Impact
In low-activity markets, it could be that the
borrowIndex
accruals (accrueInterest
calls) happen infrequently and a long time is between them.A borrower could borrow tokens, and borrow more tokens later at a different time without first having their latest debt accrued.
This will lead to borrowers being able to borrow more than
maxBorrow
and more than their credit limit as these checks are performed before updating accruing interest.Recommended Mitigation Steps
The
require(accrueInterest(), "UToken: accrue interest failed");
call should happen at the beginning of the function.The text was updated successfully, but these errors were encountered: