Jumpy Viridian Porpoise
Medium
Applying accrued interest to total borrows and reserves can be performed by unsigned account via CToken contract
Summary: Applying accrued interest to total borrows and reserves can be performed by unsigned account via CToken contract. The amount that can be written as interest accrued from the last checkpointed block to storage by the unsigned verifier. This allows the opportunity for the contract to be Dos'ed.
Location: https://github.com/sherlock-audit/2024-12-numa-audit/blob/main/Numa/contracts/lending/CToken.sol#L416-L503
Impact: In the code, the accrue interest function updates the interest accrued since the last block and writes it to storage. But, the function has no access control modifier.
Recommendation: To mitigate this vulnerability, consider implementing an OpenZeppelin ownable access control, such as onlyOwner. Here follows an example of what your access modifier would look like on the accrueInterest function.
+ function accrueInterest() public virtual onlyOwner override returns (uint) {
- function accrueInterest() public virtual override returns (uint) {