Closed code423n4 closed 2 years ago
Sponsor disputed
This is a perfectly reasonable governance action to take.
As per the sponsor's comment, setting the flash fee to zero is reasonable and justified. Some protocols already provide flash loan functionality for free.
Lines of code
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2.sol#L92
Vulnerability details
Impact
Since there is no zero check for the newFee parameter in
AlchemicTokenV2.setFlashFee()
, an admin may mistakenly set the FlashMintFee to zero and allow flash minting cost to be free as well as get a flashloan at zero feeProof of Concept
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2.sol#L92
newFee
parameter insetFlashFee()
to 0Above allows flash loans for free.
Tools Used
Manual review
Recommended Mitigation Steps
add a require check for
newFee
parameter.