berlin-101
high
The math for calculating the increase in reserves is wrong.
In line https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L914 of IronBank.sol the increase of reserves (reservesIncreased) is calculated.
Although the correct formula for reservesIncreased is not documented (not in the project README.md files and no whitepaper is available) there is a high probability that the calculation is wrong. Therefore I want to point this out.
The current implementation is as follows:
reservesIncreased = (feeIncreased * (totalSupply + totalReserves))
/ (totalCash + totalBorrow + (interestIncreased - feeIncreased));See the "+" in front of the (interestIncreased - feeIncreased))? That hints that rather a "*" should be used like in the left half of the division.
A possible correction could be this on:
reservesIncreased = (feeIncreased * (totalSupply + totalReserves))
/ (totalCash + totalBorrow * (interestIncreased - feeIncreased));Compound uses a much simpler calculation for this: https://github.com/compound-finance/compound-protocol/blob/a3214f67b73310d547e00fc578e8355911c9d376/contracts/CToken.sol#L362.
Since IronBank leans on Compound logic (e.g. for calculation of earned interest based on current borrow) it may be another hint that something with the calculation of reservesIncreased is wrong as the calculation of reserves is much more complex in IronBank.
The caculation of fees added to reserves is incorrect. This affects the calculation of the borrow rate as it depends on the reserves which may be different than expected. The borrow rate is one of the most important factors of the IronBank math. So if that is off, lots of things will be off.
Manual Review
Review and fix the formula for reservesIncreased. Also, please add documentation on why the calculations are done like they are done. For an audit this would have been important to have to check protocol math against a reference.