Rounding issue in Aave pool
The Molend protocol is built on top of the Aave protocol. A notable concern arises due to a rounding issue present in the Aave protocol, which subsequently impacts Molend. This issue has the potential to be exploited in newly deployed markets, specifically when the aToken's totalSupply
is zero.
In the initial stages of a market launch, an attacker could exploit a brief window to manipulate the exchange rate. This manipulation involves depositing a substantial amount of tokens into the pool and subsequently withdrawing all but one Wei of tokens. This action significantly inflates the value of the liquidityIndex
as the totalSupply
is then set to one Wei, leading to a discrepancy in the exchange rate. As a result, the attacker may borrow more tokens than expected.
The issue has been previously addressed and mitigated within the original Aave protocol. This mitigation involved incorporating an initial deposit requirement during the creation of new markets, ensuring that they are never left in an empty state.