KupiaSec - The interest rate model should be improved in the `LenderCommitmentGroup_Smart`.
Closed this issue · 0 comments
KupiaSec
medium
The interest rate model should be improved in the LenderCommitmentGroup_Smart
.
Summary
The interest rate is fixed when the loan is made.
Vulnerability Detail
The interest rate is determined based on the PoolUtilizationRatio
when the loan is made.
function getPoolUtilizationRatio() public view returns (uint16) {
[...]
return uint16( Math.min(
getTotalPrincipalTokensOutstandingInActiveLoans() * 10000 /
@> getPoolTotalEstimatedValue() , 10000 ));
}
function getMinInterestRate() public view returns (uint16) {
@> return interestRateLowerBound + uint16( uint256(interestRateUpperBound-interestRateLowerBound).percent(getPoolUtilizationRatio()) );
}
However, the PoolUtilizationRatio
is determined before incrementing totalPrincipalTokensLended
.
function acceptFundsForAcceptBid(
[...]
@> require(_interestRate >= getMinInterestRate(), "Invalid interest rate");
[...]
@> totalPrincipalTokensLended += _principalAmount;
[...]
}
So, a user can borrow total amount of liquidity available in the LenderCommitmentGroup_Smart
with the current interest rate which can be very low. Then PoolUtilizationRatio
will become very high, but the liquidity providers will recieve interest based on the low interest rate fixed when the loan is made.
Impact
The liquidity providers would receive less interset than expected.
Code Snippet
Tool used
Manual Review
Recommendation
The interest rate model should be improved in the LenderCommitmentGroup_Smart
.
Duplicate of #72