Description

The function flashLoan does not accrue interest before executing a flash loan. If s.flashLoanFee is not zero, s.totalSupplyAssets will be increased after the flash loan.

function flashLoan(
    // [...]
) external whenNotPaused {
    PoolStorage.PoolState storage s = PoolStorage._state();
    s._flashLoan(token, assets, data);
    s._updateOrders();
}

function _flashLoan(
    PoolStorage.PoolState storage s,
    address token,
    uint256 assets,
    bytes calldata data
) internal {
    // [...]

    // Calculate flash loan fee
    uint256 feeAmount = assets.mulDiv(s.flashLoanFee, PoolConstants.WAD, Math.Rounding.Ceil);

    emit PoolEvents.FlashLoan(msg.sender, token, assets);

    SafeERC20.safeTransfer(ERC20(token), msg.sender, assets);

    IAvonFlashLoanCallback(msg.sender).onAvonFlashLoan(assets, data);

    SafeERC20.safeTransferFrom(ERC20(token), msg.sender, address(this), assets + feeAmount);
    
    s.totalSupplyAssets += feeAmount;
}

Since the function _accrueInterest calculates the borrow rate based on totalSupplyAssets and totalBorrowAssets, and then further computes the accrued interest, not accruing interest before executing a flash loan may cause some issues.

Impact

For example, if a user borrows and no one invokes the function accrueInterest for a long time, but right before the borrower prepares to repay, someone triggers a flash loan that increases the s.totalSupplyAssets. This reduces the utilization of the loan token during this period, causing the borrower to spend fewer assets when repaying compared to the case without a flash loan.

Recommendations

Consider accruing interest before executing a flash loan.

Remediation