Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2Base.sol#L98
Since there is no zero check for the newFee parameter in AlchemicTokenV2Base.setFlashFee() , an admin may mistakenly set the FlashMintFee to zero and allow flash minting cost to be free as well as get a flashloan at zero fee
AlchemicTokenV2Base.setFlashFee()
newFee
setFlashFee()
Above allows flash loans for free.
Manual review
add a require check for newFee parameter.
Sponsor disputed
This is a perfectly reasonable governance action to take.
Same as #210
Lines of code
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2Base.sol#L98
Vulnerability details
Impact
Since there is no zero check for the newFee parameter in
AlchemicTokenV2Base.setFlashFee()
, an admin may mistakenly set the FlashMintFee to zero and allow flash minting cost to be free as well as get a flashloan at zero feeProof of Concept
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2Base.sol#L98
newFee
parameter insetFlashFee()
to 0Above allows flash loans for free.
Tools Used
Manual review
Recommended Mitigation Steps
add a require check for
newFee
parameter.