Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 97/120
Findings: 2
Award: $14.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xNorman, 0xRobocop, Aymen0909, ElKu, GT_Blockchain, Josiah, KrisApostolov, RaymondFam, SpicyMeatball, ToonVH, Voyvoda, anodaram, aviggiano, bin2chen, climber2002, giovannidisiena, jpserrat, minhtrng, rbserver, sashik_eth, shaka, wintermute
8.0283 USDC - $8.03
https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L416
The fee for a flashloan does not take the decimals of the underlying asset into account, and is statically calculated (=changeFee, regardless of flashloan size).
If a changeFee of 25 is set (= 0.0025 ETH as mentioned on line 87). The flashloan fee will only be 25 wei, not the intended 0.0025 ETH.
This is because flashfee simply returns the changeFee. It does not convert the changeFee from 4 decimals to the decimals of the basetoken.
function flashFee(address, uint256) public view returns (uint256) { return changeFee; }
Additionally the flashfee is static and does not change depending on the value of the loaned NFT. However, it is unclear if this is intended behaviour.
#0 - c4-pre-sort
2023-04-20T15:08:15Z
0xSorryNotSorry marked the issue as duplicate of #864
#1 - c4-judge
2023-05-01T07:06:50Z
GalloDaSballo changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-05-01T07:09:05Z
GalloDaSballo marked the issue as satisfactory
5.9827 USDC - $5.98
Judge has assessed an item in Issue #225 as 2 risk. The relevant finding follows:
uint256 exponent = baseToken == address(0) ? 18 - 4 : ERC20(baseToken).decimals() - 4; will revert since ERC20(baseToken).decimals() - 4; causes an underflow
#0 - c4-judge
2023-05-03T08:02:29Z
GalloDaSballo marked the issue as duplicate of #858
#1 - c4-judge
2023-05-03T08:02:41Z
GalloDaSballo marked the issue as satisfactory