Platform: Code4rena
Start Date: 04/01/2022
Pot Size: $25,000 USDC
Total HM: 3
Participants: 40
Period: 3 days
Judge: Ivo Georgiev
Total Solo HM: 1
Id: 75
League: ETH
Rank: 13/40
Findings: 1
Award: $351.61
🌟 Selected for report: 0
🚀 Solo Findings: 0
351.6081 USDC - $351.61
pedroais
Anyone could use a flash loan to lock and unlock in the same block with a large amount and get an NFT with high points with funds that do not belong to him. Even if the multiplier for 0 timelock is 0 this could be done to get the NFT.
Point calculation formula : return amount_ * (duration_ + _zeroDurationPointBase);
Add a minimal timelock of 1 block to protect the contract from flash loans
#0 - deluca-mike
2022-01-08T02:32:45Z
You know, I was about to write this: "This is expected, but also irrelevant, because we won't allow 0 duration, and even if we did, the gas costs to lock and unlock in the same block in a flash loan is probably way too high to justify the "loyalty" points one gets."
However, I thought about it some more and I have to agree that if we did allow a 0 duration, this entire score system is unenforceable due to flash loans. So, because of that, I'm going to make the score function simply amount_ * duration_, and remove _zeroDurationPointBase from the contract. If we wanted "mimial" lock duration, we can simply do something small like 1 day, or even 1 second. And if we did allow 0 seconds, then its only fair that "flash loaner" gets an NFT of 0 score.
#1 - deluca-mike
2022-01-09T11:02:40Z
Duplicate #139