deluca-mike
commented
2 years ago You know, I was about to write this: "This is expected, but also irrelevant, because we won't allow 0 duration, and even if we did, the gas costs to lock and unlock in the same block in a flash loan is probably way too high to justify the "loyalty" points one gets."
However, I thought about it some more and I have to agree that if we did allow a 0 duration, this entire score system is unenforceable due to flash loans. So, because of that, I'm going to make the score function simply amount_ * duration_, and remove _zeroDurationPointBase from the contract. If we wanted "mimial" lock duration, we can simply do something small like 1 day, or even 1 second. And if we did allow 0 seconds, then its only fair that "flash loaner" gets an NFT of 0 score.
Handle
pedroais
Vulnerability details
Impact
Anyone could use a flash loan to lock and unlock in the same block with a large amount and get an NFT with high points with funds that do not belong to him. Even if the multiplier for 0 timelock is 0 this could be done to get the NFT.
Proof of Concept
Point calculation formula : return amount * (duration + _zeroDurationPointBase);
Recommended Mitigation Steps
Add a minimal timelock of 1 block to protect the contract from flash loans