Skip to content

[SECURITY DISCLOSURE] Critical Vulnerability found in BaseJumpRateModelV2.sol #299

Open
Open
[SECURITY DISCLOSURE] Critical Vulnerability found in BaseJumpRateModelV2.sol#299
@rbxict

Description

@rbxict
rbxict
opened on Mar 21, 2026

SECURITY AUDIT REPORT

Contract Name: BaseJumpRateModelV2
Audit Date: March 21, 2024
Severity Levels:

  • CRITICAL: Bugs that can cause significant financial loss or complete contract compromise.
  • HIGH: Bugs that can cause notable financial loss or considerable contract disruption.

ABSTRACT

This security audit report outlines the findings of a comprehensive review of the BaseJumpRateModelV2 contract. The audit aimed to identify potential security vulnerabilities, focusing on CRITICAL and HIGH severity bugs.

BUG REPORT

After conducting a thorough analysis of the provided contract, several issues were identified.

  1. Reentrancy Vulnerability (HIGH)
    In the updateJumpRateModel function, the require statement checks if the msg.sender is the owner. However, this check is not sufficient to prevent reentrancy attacks. An attacker could exploit this by calling the updateJumpRateModel function and then reentering the contract, potentially modifying the owner variable or updating the interest rate model maliciously. To mitigate this, consider adding a reentrancy lock or using the Checks-Effects-Interactions pattern.
function updateJumpRateModel(uint baseRatePerYear, uint multiplierPerYear, uint jumpMultiplierPerYear, uint kink_) virtual external {
    require(msg.sender == owner, "only the owner may call this function.");
    // ...
}
  1. Unprotected Function (HIGH)
    The utilizationRate function is marked as public and can be called by anyone. Although it does not modify any state, it can still be used to gather information about the market. Consider making this function internal or private to restrict access.
function utilizationRate(uint cash, uint borrows, uint reserves) internal pure returns (uint) {
    // ...
}
  1. Division by Zero (HIGH)
    In the utilizationRate function, there is a division operation that can potentially result in a division by zero error. Although the function checks if borrows is zero, it does not account for the case where cash + borrows - reserves is zero.
return borrows * BASE / (cash + borrows - reserves);

To fix this, add a check to ensure the divisor is not zero:

function utilizationRate(uint cash, uint borrows, uint reserves) internal pure returns (uint) {
    if (borrows == 0) {
        return 0;
    }

    uint denominator = cash + borrows - reserves;
    require(denominator != 0, "division by zero");
    return borrows * BASE / denominator;
}

RECOMMENDATIONS

  1. Implement reentrancy protection in the updateJumpRateModel function.
  2. Restrict access to the utilizationRate function by making it internal or private.
  3. Add a check to prevent division by zero in the utilizationRate function.

CONCLUSION

The BaseJumpRateModelV2 contract has several security vulnerabilities that need to be addressed. By implementing the recommended fixes, the contract can be significantly more secure and resilient to potential attacks.

FINAL STATUS

The contract is not secure due to the identified vulnerabilities. It requires immediate attention to fix the CRITICAL and HIGH severity bugs before deployment.

RECOMMENDATION: Immediate patch required. Bug Bounty Payout Address (ERC20): 0xe744f6791a685b0A0cC316ED44375B69361c837F

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions