Interest is not accrued before parameters are updated in SavingsVest
#13
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-06
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/AngleProtocol/angle-transmuter/blob/9707ee4ed3d221e02dcfcd2ebaa4b4d38d280936/contracts/savings/SavingsVest.sol#L196
Vulnerability details
Impact
Stablecoin holders can receive wrongly calculated yield in the
SavingsVest
contract. Also, wrong vesting profit can be slashed when the protocol is under-collateralized.Proof of Concept
The SavingsVest contract lets users deposit their stablecoins and earn vested yield when the stablecoin in the Transmuter protocol is over-collateralized. The interest is accrued via calls to the SavingsVest.accrue function.
There are two parameters that affect the profit of depositors:
The two parameters can be changed via the setParams function. However, before they're changed, the current interest is not accrued. E.g. this may lead to:
protocolSafetyFee
is increased without accruing interest, the next accrual will happen at the increased fees, which will reduce the rewards for the depositors.vestingPeriod
is increased without accruing interest, the yield will be locked for a longer period and the next accrual may slash more vested yield.Thus, users can lose a portion of the yield that was earned at a lower protocol fee after the fee was increased. Likewise, increasing the vesting period may result in slashing yield that was earned before the period was increased.
Tools Used
Manual review
Recommended Mitigation Steps
In the
SavingsVest.setParams
function, consider accruing interest with the current parameters before setting newprotocolSafetyFee
andvestingPeriod
.Assessed type
Other
The text was updated successfully, but these errors were encountered: