Platform: Code4rena
Start Date: 08/05/2023
Pot Size: $90,500 USDC
Total HM: 17
Participants: 102
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 236
League: ETH
Rank: 62/102
Findings: 1
Award: $66.59
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Team_Rocket
Also found by: 0xkazim, BPZ, Bauchibred, BoltzmannBrain, Brenzee, DeliChainSec, Franfran, Lilyjjo, MohammedRizwan, SaeedAlipoor01988, Yardi256, ast3ros, berlin-101, carlitox477, fs0c, peritoflores, sashik_eth, sces60107, thekmj, volodya, zzykxx
66.5871 USDC - $66.59
The baseRatePerBlock and multiplierPerBlock are significantly overestimated (by a factor of 5) and this results in wrong borrow and supply rates. This can mislead borrowers into paying much higher interest rates and facing higher risk of default.
The interest rate model assumes the following approximate number of blocks per year:
uint256 public constant blocksPerYear = 2102400;
However, this number is based on the Ethereum average block time of 15 seconds. The Venus protocol is deployed on BSC and the block time is only 3 seconds, so the actual number of blocks per year should be much higher at 10512000.
Because the blocksPerYear is underestimated, it leads to 5 times higher baseRatePerBlock and multiplierPerBlock.
baseRatePerBlock = baseRatePerYear / blocksPerYear; multiplierPerBlock = multiplierPerYear / blocksPerYear;
The borrow rate and supply rate are also significantly overestimated: Borrow rate:
(ur * multiplierPerBlock) / BASE) + baseRatePerBlock
Supply rate:
(utilizationRate(cash, borrows, reserves) * rateToPool) / BASE
Manual
Change the blocksPerYear from 2102400 to 10512000.
- uint256 public constant blocksPerYear = 2102400; + uint256 public constant blocksPerYear = 10512000;
Other
#0 - c4-judge
2023-05-16T09:22:08Z
0xean marked the issue as duplicate of #559
#1 - c4-judge
2023-06-05T14:02:55Z
0xean marked the issue as satisfactory
#2 - c4-judge
2023-06-05T14:38:31Z
0xean changed the severity to 3 (High Risk)