Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Suilend>Medium findings>Rate limiter can be abused
GeneralOverview
Findings
Medium (2)No mechanism for debt write-offRate limiter can be abused
DiscussionUse of APR in configurationLiquidate maximum percentage is weightedDesync between reserve and obligation interest
Threat ModelWhat are threat models?1-lending_market3-reserve4-obligation
Audit ResultsSummary
Category: Business Logic

Rate limiter can be abused

Medium Severity
Medium Impact
Low Likelihood

Description

The protocol uses a single rate limiter for the entire protocol. The rate limiter limits the amount of withdrawn coins in a given time window. This includes all supported coin types but not cTokens. There is no fee for depositing and immediately withdrawing.

Impact

It is possible to halt withdrawals of other users by intentionally filling the rate limit by depositing and immediately withdrawing repeatedly. The attack can potentially be made less costly through flash loans. The exact cost of the attack would depend on the gas cost at the time of the attack and the cheapest available flash loans.

However, we note that the administrator can manually reset the rate limit if it is filled and potentially even completely disable it by setting the rate limit to a very large value.

Recommendations

We recommend that the rate-limiter mechanism be redesigned.

Remediation

Zellic © 2025Back to top ↑