Tokens with lower decimals do not generate appropriate interest amounts

[codehawks-bot]

Tokens with lower decimals do not generate appropriate interest amounts

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L720-L727

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L724

Summary

Any case where (l.interestRate * l.debt * timeElapsed) is lower than 3.1536e11 will make it an interest-free loan.

Vulnerability Details

Loans accrue interest for every second since being taken out. The issue arises when loans are taken in low-decimal high-value tokens like WBTC. Such tokens' decimals allow the interest calculation to round down to 0 due to the (l.interestRate * l.debt * timeElapsed) calculation being lower than 3.1536e11(10000 * 365 days in seconds).

		function _calculateInterest(
        Loan memory l
    ) internal view returns (uint256 interest, uint256 fees) {
        uint256 timeElapsed = block.timestamp - l.startTimestamp;
        interest = (l.interestRate * l.debt * timeElapsed) / 10000 / 365 days; // @audit anything lower than 3.1536e11 will round down to 0, thus making it an interest-free loan
        fees = (lenderFee * interest) / 10000;
        interest -= fees;
    }

For example, a loan with 1e6 worth of WTBC(around 300$) and a fee of 1000 basis points(10%) for 300 seconds will be interest-free. The same can be achieved with lower debt amounts for longer periods of time. For example, if the loan gets segmented into 10 smaller ones with 1e5 worth of debt in each the interest-free period will be more than 3000 seconds, and so on.

Impact

The lenders will not accrue fees for relatively short loans with such tokens.

Tools Used

Manual Review

Recommendations

Consider adding a flat interest that gets charged after a specific amount of seconds.

[PatrickAlphaC]

moving to low as impact is just minimal rounding errors. Please provide PoC of impact in the future.