Owner can set flashloan fees to any value #344
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-139
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-10-traderjoe/blob/07f84867a018cbfc591f9b5063bf6e59e1f2cb85/src/LBFactory.sol#L474
Vulnerability details
Proof of concept
The code in
LBFactory.sol
to set the flashloan fee is thisSo the owner can set any flashloan fee any time, without constraints. A malicious or a compromised owner can front-run any flash loans and just set the fee to a high enough number so it drains more value from a flash loan user than he expects.
Impact
This can result in a loss of capital for a flash loan user, but it can only happen if the owner of
LBFactory
is malicious or compromised, so Medium severity is appropriate.Recommendation
Add a constraint for setting the flashloan fee, like for example a maximum of 10%, which is 1000 bps.
The text was updated successfully, but these errors were encountered: