Closed code423n4 closed 1 year ago
Shungy
commented
1 year ago I find this finding to be valid.
Duplicate: https://github.com/code-423n4/2022-10-traderjoe-findings/issues/136
I believe it can be higher severity as the exploit path is practical and protocol fee loss is a loss. A finding can still be high risk without being critical.
Disclaimer: I submitted the same finding, hence increase of severity would benefit me.
GalloDaSballo
commented
1 year ago 
c4-judge
commented
1 year ago GalloDaSballo marked the issue as satisfactory
c4-judge
commented
1 year ago GalloDaSballo marked the issue as not a duplicate
c4-judge
commented
1 year ago GalloDaSballo marked the issue as duplicate of #136
Lines of code
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L452 https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L453
Vulnerability details
Impact
The
LBPaircontract'sflashLoanmethod allows borrowers to borrow funds in an atomic flashloan. The borrowed tokens must be returned along with a fee. This fee is however only distributed to liquidity providers of the currently active price range in the pair also referred to as "bin", that is despite the borrower being able to use funds deposited for other bins. Depending on the liquidity in the active bin a borrower could also atomically move the price to a price range in which they're the only liquidity provider to achieve a very low practical borrowing cost.Proof of Concept
pendingFees.Tools Used
Manual review.
Recommended Mitigation Steps
Add global fee accumulator for tokens X and Y track fees accruing globally to all liquidity providers of a given pool. In the
flashLoanmethod update the global accumulator rather than the bin specific accumulator to ensure that the fee is fairly shared across all liquidity providers proportional to their contribution.