Venus Protocol Isolated Pools - sces60107's results

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/WhitePaperInterestRateModel.sol#L17 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/BaseJumpRateModelV2.sol#L23

Vulnerability details

Impact

Venus is deployed on BNB Chain instead of Ethereum. Their block times are different. And WhitePaperInterestRateModel.sol is modified from compound. Therefore, blocksPerYear should be modified or Venus would get the wrong rate when using WhitePaperInterestRateModel

Proof of Concept

WhitePaperInterestRateModel.sol set blocksPerYear to 2102400. https://github.com/code-423n4/2023-05-venus/blob/main/contracts/WhitePaperInterestRateModel.sol#L17

    /**
     * @notice The approximate number of blocks per year that is assumed by the interest rate model
     */
    uint256 public constant blocksPerYear = 2102400;

Which is the same in compound. https://github.com/compound-finance/compound-protocol/blob/master/contracts/WhitePaperInterestRateModel.sol#L19

    /**
     * @notice The approximate number of blocks per year that is assumed by the interest rate model
     */
    uint public constant blocksPerYear = 2102400;

However, BNB Chain has the different block time from Ethereum. BaseJumpRateModelV2.sol has the correct blocksPerYear. https://github.com/code-423n4/2023-05-venus/blob/main/contracts/BaseJumpRateModelV2.sol#L23

    /**
     * @notice The approximate number of blocks per year that is assumed by the interest rate model
     */
    uint256 public constant blocksPerYear = 10512000;

Tools Used

Manual Review

Recommended Mitigation Steps

Fix the blocksPerYear in WhitePaperInterestRateModel.sol

    /**
     * @notice The approximate number of blocks per year that is assumed by the interest rate model
     */
    uint256 public constant blocksPerYear = 10512000; // use 10512000 instead of 2102400 when deployed on BNB Chain

Assessed type

Context