Extension voting power can be flashloaned

[code423n4]

Handle

cmichel

Vulnerability details

The Extension contract uses the current balance (IPool.getBalanceDetails(msg.sender)) as the voting power. If this passes the threshold the extension is granted, doesn't matter that removeVotes removes the votes when transferring the tokens away from the voter.

If there's a secondary market for the pool tokens that allows flashloans, this means a lender (for example, the borrower could have approved itself before) can flashloan this amount, extend their repayment duration, and pay back the flashloan.

Recommended Mitigation Steps

Use a snapshot-based voting system like the Comp token does, or ungrant the extension in removeVotes if it doesn't reach the threshold anymore.

[ritik99]

An extension can only be granted once for a particular loan, so this attack cannot be replayed, and there are no assets at risk. We would suggest a (1) Low-Risk factor for this issue

[0xean]

Downgrading to low risk based on the fact that the lenders would have to willingly lend out their tokens in order for this to happen so they in fact control the attack vector.

1 — Low: Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.