Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 109/120
Findings: 1
Award: $8.03
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xNorman, 0xRobocop, Aymen0909, ElKu, GT_Blockchain, Josiah, KrisApostolov, RaymondFam, SpicyMeatball, ToonVH, Voyvoda, anodaram, aviggiano, bin2chen, climber2002, giovannidisiena, jpserrat, minhtrng, rbserver, sashik_eth, shaka, wintermute
8.0283 USDC - $8.03
The flashFee() doesn't consider exponent. So actual flashFee needed is much lower than expected.
In changeFee definition it has comments,
// The change/flash fee to 4 decimals of precision. For example, 0.0025 ETH = 25. 500 USDC = 5_000_000. uint56 public changeFee;
And also in changeFeeQuote, it considered exponent
uint256 exponent = baseToken == address(0) ? 18 - 4 : ERC20(baseToken).decimals() - 4; uint256 feePerNft = changeFee * 10 ** exponent;
However in flashLoan it uses changeFee directly,
// calculate the fee uint256 fee = flashFee(token, tokenId); // if base token is ETH then check that caller sent enough for the fee if (baseToken == address(0) && msg.value < fee) revert InvalidEthAmount();
Let's suppose baseToken is address(0) and changeFee is 25, the expectation is the flashFee should be 0.0025ETH, however actually it only needs 25Wei to perform flash loan. That's much smaller than expected.
Manual Review
In flashFee add exponent calculation
function flashFee(address, uint256) public view returns (uint256) { uint256 exponent = baseToken == address(0) ? 18 - 4 : ERC20(baseToken).decimals() - 4; return changeFee * 10 ** exponent; }
#0 - c4-pre-sort
2023-04-20T15:08:09Z
0xSorryNotSorry marked the issue as duplicate of #864
#1 - c4-judge
2023-05-01T07:09:10Z
GalloDaSballo marked the issue as satisfactory