Caviar Private Pools - SpicyMeatball's results

Lines of code

https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L750-L751 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L632-L635 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L651

Vulnerability details

Impact

To execute a flash loan user must send some amount of fee to the pool contract either in ETH or ERC20 tokens. To get the amount of fee we use getter flashFee which returns changeFee value. This value is set during initialization and is also used in change operations

    /// @notice The change/flash fee to 4 decimals of precision. For example, 0.0025 ETH = 25. 500 USDC = 5_000_000.
    uint56 public changeFee;

As stated in comments changeFee is a raw value and must be transformed to weis before applying, therefore we charge less that we are supposed to during a flash loan.

Proof of Concept

Let's see how it's done if user calls change function, there we call changeFeeQuote

    function changeFeeQuote(uint256 inputAmount) public view returns (uint256 feeAmount, uint256 protocolFeeAmount) {
        // multiply the changeFee to get the fee per NFT (4 decimals of accuracy)
        uint256 exponent = baseToken == address(0) ? 18 - 4 : ERC20(baseToken).decimals() - 4;
        uint256 feePerNft = changeFee * 10 ** exponent;

        feeAmount = inputAmount * feePerNft / 1e18;
        protocolFeeAmount = feeAmount * Factory(factory).protocolFeeRate() / 10_000;
    }

where changeFee is properly transformed to wei, indeed if base token is ETH, changeFee = 25 will correspond to 2 500 000 000 000 000 or 0.0025 ETH for one NFT

Tools Used

Recommended Mitigation Steps

Make changes to flashFee

    function flashFee() public view returns (uint256 feeAmount) {
        (feeAmount, ) = changeFeeQuote(1 ether); 
    }