Venus Protocol Isolated Pools - carlitox477's results

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/WhitePaperInterestRateModel.sol#L17

Vulnerability details

Description

Venus operates in the BSC chain, where the block emission rate is different from Ethereum, where Compound is deployed. In the BSC chain, the average block time is 3 seconds. This means that we can expect a block emission of $\frac{60}{3} = 20$ per minute, giving a total of $20 \times 60 \times 24 \times 365 = 10512000$ blocks per year, a total of $\frac{BSC; Blocks ; per ; Year}{ETH; Blocks ; per ; Year} - 1 = 400%$ more blocks per year.

Impact

The error leads to miscalculation of baseRatePerBlock and multiplierPerBlock, affecting critical parts of the protocol

POC

The pointed mistake leads to miscalculation of WhitePaperInterestRateModel::getBorrowRate by inflating it.

This directly affects VToken::borrowRatePerBlock and VToken::accrueInterest

VToken::accrueInterest affects:

• VToken::totalBorrowsCurrent
• VToken::borrowBalanceCurrent
• VToken::mint
• VToken::mintBehalf
• VToken::redeem
• VToken::redeemUnderlying
• VToken::borrow
• VToken::repayBorrow
• VToken::repayBorrowBehalf
• VToken::setReserveFactor
• VToken::reduceReserves
• VToken::addReserves
• VToken::setInterestRateModel
• VToken::exchangeRateCurrent
• VToken::_liquidateBorrow
• VToken::repayBorrowBehalf
• VToken::repayBorrowBehalf
• VToken::repayBorrowBehalf

Mitigation steps

Just change uint256 public constant blocksPerYear = 2102400; for uint256 public constant blocksPerYear = 10512000;

Assessed type

Error