Closed code423n4 closed 3 years ago
alcueca
commented
3 years ago Certainly embarrasing that I lead ERC3156 and then I do this.
I think we will fix this by taking the flash loan functionality out of the Join contracts, and then do a single Lender contract that can flash lend Join assets. That way approvals for the Joins can be done separately from approvals from the Lender.
alcueca
commented
3 years ago Actually, not an issue.
Flash loans need to be enabled by the receiver, by implementing an onFlashLoan function that returns the right sentinel value.
Contracts that are prepared to receive flash loans, shouldn't approve the Lender (Join in this case) for longer than the tx with the flash loan.
Handle
cmichel
Vulnerability details
Funds from contracts that approved a join and implement the flashloan interface can be stolen. One can call
Join.flashLoan(vulnerable_contract, token, amount)and the contract's balance will be decreased by the fees they have to pay for the flashloan. One can repeat this until the contract's balance is emptied.Impact
Funds from contracts that approved a join and implement the flashloan interface can be "burned".
Recommended Mitigation Steps
Don't allow taking flashloans on behalf of another account, or don't allow join to
transferFrom, i.e., let the receiver explicitly push the funds.