On Synth.sol, we have the method realise that checks if the LP value is higher than the Synth value. If confirmed, it will burn the premium LP.
Using a flash loan, we can add liquidity to the pool, mint some LP tokens.
Then, call realise using the pool address. Because of the flash loan, the LP value will be higher than Synth.
It will burn the premium LP.
Then, we redeem the LP tokens for the tokens and pay the fee of the flash loan.
SamusElderg
commented
3 years ago
Handle
a_delamo
Vulnerability details
Impact
On
Synth.sol, we have the methodrealisethat checks if the LP value is higher than the Synth value. If confirmed, it will burn the premium LP.Using a flash loan, we can add liquidity to the pool, mint some LP tokens. Then, call
realiseusing the pool address. Because of the flash loan, the LP value will be higher than Synth. It will burn the premium LP. Then, we redeem the LP tokens for the tokens and pay the fee of the flash loan.