c4-pre-sort
commented
1 year ago minhquanym marked the issue as low quality report
Open code423n4 opened 1 year ago
c4-pre-sort
commented
1 year ago minhquanym marked the issue as low quality report
minhquanym
commented
1 year ago Consider QA level
c4-judge
commented
1 year ago dmvt changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago dmvt marked the issue as grade-b
Lines of code
https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/usd0/USDO.sol#L90 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/usd0/USDO.sol#L64-L69
Vulnerability details
Impact
When a user calls
USDO.flashLoan(), their fee is calculated (on line 90 USDO.sol) viaUSDO.flashFee()based on the function paramamount.If the user chooses a very small
amount, the calculated fee inUSDO.flashFee()will be rounded down to 0 (line 69 USDO.sol), due to the nominator(amount * flashMintFee)being smaller than the denominatorFLASH_MINT_FEE_PRECISION.So for small amounts the protocol doesn't charge a fee to the user.
Since there exists a reentrancy attack vector in the codebase of the USDO.sol contract, that I submitted as a different report, the issue with the fee calculation can be exploited in order to flash loan huge amounts of USDO without paying any fees. Especially, the USDO should be deployed on a chain with less gas fees, it might be cheaper to avoid the loan fees by reentering.
I don't consider this report to be a duplicate, since the mitigation for this issue has to be done differently.
Proof of Concept
Here is a POC that shows the exploit:
https://gist.github.com/zzzitron/c9382502c71fb353afc1210115d5a21a
To run the exploit add this malicious contract into the contracts folder:
https://gist.github.com/zzzitron/d2be7c2d688b6c3df663ace9ef3d49b9
Tools Used
Manual review
Recommended Mitigation Steps
consider rounding up the fees
Assessed type
Math