FLO-8: setInterestCurve() Updates Rates Immediately, Exposing Users to Slippage #217
Description
Severity: Medium
Files Affected
cadence/contracts/FlowALPv1.cdc
Description
The setInterestCurve() function allows governance to dynamically change the interest rate model (e.g., from a fixed rate to a kinked curve) for a supported token. This change is applied instantly to the token's state via the internal TokenState.setInterestCurve() function. Because the protocol does not enforce a timelock mechanism for governance actions, nor does it provide slippage tolerance parameters for interest rates on user operations, a user's transaction may be executed under a drastically different interest rate environment than what was evaluated when the transaction was submitted to the network. Exploit Scenario:
- A user reviews the current pool state and observes a favorable FixedRateInterestCurve with a low APY for borrowing tokens.
- The user submits a transaction to borrow a large sum by calling withdraw() to create a debit balance.
- Concurrently, a governance transaction calls setInterestCurve() to update the token's curve to a KinkInterestCurve with a very steep post-kink slope, and this transaction is ordered immediately before the user's transaction in the block.
- The user's transaction executes successfully under the new state, instantly locking them into a high-interest debt position that they did not consent to, forcing them to pay unexpectedly high fees.
Recommendation
Implement a timelock delay for sensitive governance parameter changes (such as interest curves, reserve factors, and risk parameters). A timelock provides a grace period, allowing users to exit or adjust their positions before the new economic models take effect. Alternatively, require user-facing operations that create debt to include a security parameter, enforcing strict on-chain slippage protection during the transaction's execution.
Parent Issue: #209