Platform: Code4rena
Start Date: 14/10/2022
Pot Size: $100,000 USDC
Total HM: 12
Participants: 75
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 171
League: ETH
Rank: 69/75
Findings: 1
Award: $0.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: Aymen0909, Dravee, Josiah, M4TZ1P, Mukund, Nyx, SooYa, catchup, cccz, chaduke, csanuragjain, djxploit, hansfriese, ladboy233, leosathya, pashov, rvierdiiev, sorrynotsorry, supernova, vv7, wagmi, zzykxx
0.006 USDC - $0.01
The factory owner has power to set Flash Loan fees to any arbitrary amount . This can be potentially dangerous for users , especially if they don't check the amount of flash loan fees before calling the LBPair flashLoan function (by calling the factory contract flashLoanFee variable directly to send the fees to the protocol in there callback function logic).
Example: FlashLoanFee = 500000000000000000
Contract A calls flashLoan function .
Unknowingly Sends 50% of flash loan as fees, as the contract transferred tokens by calling the factory contract directly instead of manually entering the fees to send. Clearly the User is at a loss.
VsCode
I recommend creating a sensible lower and upper limit in case of flash loan fees set by the owner.
#0 - Shungy
2022-10-24T10:03:30Z
I believe this finding to be technically valid but of lower severity.
My reasoning is stated in a similar finding: https://github.com/code-423n4/2022-10-traderjoe-findings/issues/472#issuecomment-1288454510
#1 - GalloDaSballo
2022-10-27T21:15:58Z
#2 - c4-judge
2022-11-23T18:38:00Z
GalloDaSballo marked the issue as not a duplicate
#3 - c4-judge
2022-11-23T18:39:18Z
GalloDaSballo marked the issue as duplicate of #139
#4 - Simon-Busch
2022-12-05T06:34:21Z
Marked this issue as Satisfactory as requested by @GalloDaSballo