Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Molend Protocol>Discussion>Rounding issue in Aave pool
GeneralOverview
Findings
Medium (2)
Low (1)
Informational (1)
DiscussionRounding issue in Aave poolStable-rate mode borrowing vulnerability in Aave pools
Threat ModelWhat are threat models?ChainlinkSourcesRegistry.sol
Audit ResultsSummary

Rounding issue in Aave pool

The Molend protocol is built on top of the Aave protocol. A notable concern arises due to a rounding issue present in the Aave protocol, which subsequently impacts Molend. This issue has the potential to be exploited in newly deployed markets, specifically when the aToken's totalSupply is zero.

In the initial stages of a market launch, an attacker could exploit a brief window to manipulate the exchange rate. This manipulation involves depositing a substantial amount of tokens into the pool and subsequently withdrawing all but one Wei of tokens. This action significantly inflates the value of the liquidityIndex as the totalSupply is then set to one Wei, leading to a discrepancy in the exchange rate. As a result, the attacker may borrow more tokens than expected.

The issue has been previously addressed and mitigated within the original Aave protocol. This mitigation involved incorporating an initial deposit requirement during the creation of new markets, ensuring that they are never left in an empty state.

Zellic © 2024Back to top ↑