devScrooge - Accrue function is not called before executing some functions
Closed this issue · 1 comments
devScrooge
medium
Accrue function is not called before executing some functions
Summary
As the NatSpec comments and documentation indicate, the functions getDebtValue
, getIsolatedCollateralValue
, getPositionDebt
, on the BlueBerryBank
contract, the accrue
function should be called first to get the current debt, but it is actually not being called.
Vulnerability Detail
The NatSpec lines 340, 420, 431 and also in the Blueberry docs indicates that: The function should be called after calling the accrue function to get the current debt
.
But actually none of these function (getDebtValue
, getIsolatedCollateralValue
, getPositionDebt
) are calling the accrue
function before.
Impact
No calling the accrue
function before executing the mentioned function means that the following operations and/or calculations are not done with the actual value of the current debt, thus a non-correct value is being used.
Inside the BlueBerryBank
contract, all of the mentioned functions are called by functions that are called by other functions that implement the poke
modifier, which in turn calls the accrue function. This means that the debt is going to be updated to the current one so the value will be correct but the getDebtValue
, getIsolatedCollateralValue
, getPositionDebt
functions are public so future or external implemented contracts can call them and use a non update value for the current debt.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L340,
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L420,
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L431
Tool used
Manual Review
Recommendation
Add the poke
modifier to the getDebtValue
, getIsolatedCollateralValue
, getPositionDebt
functions so that if external contracts call to this functions a correct value of the current debt is going to be used correct.
None of these functions are calling accrue
since they are view functions and it's saying that the user or @dev should be the one to call accrue first to get the current debt. Additionally, when a user is going modifying their position inside of a leverage position they are accruing all outstanding interest when they attempt to adjust their position.