# Boost \_ Folks Finance 33311 - \[Smart Contract - Critical] Infinite Interest rate bug Submitted on Wed Jul 17 2024 12:14:00 GMT-0400 (Atlantic Standard Time) by @kankodu for [Boost | Folks Finance](https://immunefi.com/bounty/folksfinance-boost/) Report ID: #33311 Report type: Smart Contract Report severity: Critical Target: Impacts: * Protocol insolvency * Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield ## Description ## Brief/Intro Here's the equation for utilisation that is being used currently `U=TotalVariableBorrowAmount+TotalStableBorrowAmountTotalDeposits/TotalDeposits` When totalDeposits is lower than the totalBorrowed amount, the utilization can be much greater than 100%, which in turn makes borrowRates and depositRates very high. ## Vulnerability Details * When a new token with CF > 0 is added, the attacker deposits 1e5 wei of its token, making TotalDeposits = 1e5. * Let's say the decimals for this newly added token are 1e18. The attacker then donates 1e18 wei of tokens directly to the HubPool and borrows. * This is allowed as there is no check for it in the borrow method. It makes the totalBorrows = 1e18. * Utilization is 1e13 in this case, which makes the interest rate \~4e31. This translates to 4 trillion percent per second. * After just a block, the attacker's original 1e5 deposits would have turned into a very large amount (in billions) due to the interest rate being an outrageous trillion percent per second. * The attacker goes ahead and borrows all the tokens against this deposit as CF for this token is non-zero. ## Impact Details * Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield * Protocol insolvency ## References * ## Proof of concept ## Proof of Concept Add below testcase in `test/hub/HubPool.test.ts` that shows the the interest rate is a very large amount when totalDeposits is way smaller than the totalBorrowedAmount ``` it.only("infinite interest rate", async () => { const { loanManager, hubPool } = await loadFixture(deployHubPoolFixture); // set pool data with deposit total amount const depositTotalAmount = BigInt(1e5); const poolData = getInitialPoolData(); poolData.depositData.totalAmount = depositTotalAmount; await hubPool.setPoolData(poolData); // update pool with borrow const amount = BigInt(1e18); const isStable = false; const updatePoolWithBorrow = await hubPool.connect(loanManager).updatePoolWithBorrow(amount, isStable); expect((await hubPool.getVariableBorrowData())[3]).to.equal(poolData.variableBorrowData.totalAmount + amount); await expect(updatePoolWithBorrow).to.emit(hubPool, "InterestRatesUpdated"); expect((await hubPool.getVariableBorrowData())[4]).to.be.greaterThan(BigInt(1e31)) }); ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/folks-finance/boost-_-folks-finance-33311-smart-contract-critical-infinite-interest-rate-bug.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.