changeFee that has been scaled with 4 decimals of of basis points is being adopted by flashloan(). This could make the function behave in an unexpected manner than intended.
The returned changeFee is a very smaller integer. For example, if it is 1 USDC, that will mean 10000 USDC equivalent to USD 0.01 because USDC is associated with 6 decimals. It could have been worse if the baseToken has 18 decimals, which is as good as nothing.
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L623-L654 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L750-L752
Vulnerability details
Impact
changeFee
that has been scaled with 4 decimals of of basis points is being adopted byflashloan()
. This could make the function behave in an unexpected manner than intended.Proof of Concept
The fee is calculated as:
PrivatePool.sol#L632
The returned
changeFee
is a very smaller integer. For example, if it is 1 USDC, that will mean 10000 USDC equivalent to USD 0.01 because USDC is associated with 6 decimals. It could have been worse if thebaseToken
has 18 decimals, which is as good as nothing.PrivatePool.sol#L750-L752
Additionally, it is going to get all flash loan easily pass and execute because of an easy bypass here (
baseToken
is ETH in this case):PrivatePool.sol#L635
Recommended Mitigation Steps
It is recommended scaling
changeFee
like it has been done so in changeFeeQuote() before having it integrated withflashLoan()
.