Platform: Code4rena
Start Date: 14/10/2022
Pot Size: $100,000 USDC
Total HM: 12
Participants: 75
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 171
League: ETH
Rank: 65/75
Findings: 1
Award: $0.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: Aymen0909, Dravee, Josiah, M4TZ1P, Mukund, Nyx, SooYa, catchup, cccz, chaduke, csanuragjain, djxploit, hansfriese, ladboy233, leosathya, pashov, rvierdiiev, sorrynotsorry, supernova, vv7, wagmi, zzykxx
0.006 USDC - $0.01
Judge has assessed an item in Issue #474 as M risk. The relevant finding follows:
[L-01] Flashloan fee is not validated _flashLoanFee is determined at LBFactory's constructor as;
constructor(address _feeRecipient, uint256 _flashLoanFee) { _setFeeRecipient(_feeRecipient); flashLoanFee = _flashLoanFee; emit FlashLoanFeeSet(0, _flashLoanFee); }
Permalink
and in setFlashLoanFee() as;
function setFlashLoanFee(uint256 _flashLoanFee) external override onlyOwner { uint256 _oldFlashLoanFee = flashLoanFee; if (_oldFlashLoanFee == _flashLoanFee) revert LBFactory__SameFlashLoanFee(_flashLoanFee); flashLoanFee = _flashLoanFee; emit FlashLoanFeeSet(_oldFlashLoanFee, _flashLoanFee); }
Permalink
However, if the the fee somehow is set to an arbitrary ratio such as 100% (even the intention is to set the fee to 10%), this will lead to flashloan causing loss of funds for the user who uses it. It would be the best if the flashloan fee is required to be in boundries which is set by the protocol.
#0 - c4-judge
2022-11-16T21:49:57Z
GalloDaSballo marked the issue as duplicate of #139
#1 - Simon-Busch
2022-12-05T06:31:43Z
Marked this issue as Satisfactory as requested by @GalloDaSballo