Closed code423n4 closed 3 years ago
Certainly embarrasing that I lead ERC3156 and then I do this.
I think we will fix this by taking the flash loan functionality out of the Join contracts, and then do a single Lender contract that can flash lend Join assets. That way approvals for the Joins can be done separately from approvals from the Lender.
Actually, not an issue.
Flash loans need to be enabled by the receiver, by implementing an onFlashLoan
function that returns the right sentinel value.
Contracts that are prepared to receive flash loans, shouldn't approve the Lender (Join in this case) for longer than the tx with the flash loan.
Handle
cmichel
Vulnerability details
Funds from contracts that approved a join and implement the flashloan interface can be stolen. One can call
Join.flashLoan(vulnerable_contract, token, amount)
and the contract's balance will be decreased by the fees they have to pay for the flashloan. One can repeat this until the contract's balance is emptied.Impact
Funds from contracts that approved a join and implement the flashloan interface can be "burned".
Recommended Mitigation Steps
Don't allow taking flashloans on behalf of another account, or don't allow join to
transferFrom
, i.e., let the receiver explicitly push the funds.