search

code-423n4 / 2022-05-alchemix-findings

5 stars 2 forks source link

Free Flash fee due to missing zero value check in AlchemicTokenV2.sol #210

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2.sol#L92

Vulnerability details

Impact

Since there is no zero check for the newFee parameter in AlchemicTokenV2.setFlashFee() , an admin may mistakenly set the FlashMintFee to zero and allow flash minting cost to be free as well as get a flashloan at zero fee

Proof of Concept

https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2.sol#L92

  1. Admin sets value of newFee parameter in setFlashFee() to 0
  2. This automatically returns the value 0 for flashfee()
  3. fee for flashLoan() is also automatically set to 0

Above allows flash loans for free.

Tools Used

Manual review

Recommended Mitigation Steps

add a require check for newFee parameter.

0xfoobar commented 2 years ago

Sponsor disputed

This is a perfectly reasonable governance action to take.

0xleastwood commented 2 years ago

As per the sponsor's comment, setting the flash fee to zero is reasonable and justified. Some protocols already provide flash loan functionality for free.