search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

Flash Loan Execution Permitted During Protocol Pause, Bypassing Security Checks #50

Closed c4-bot-9 closed 8 months ago

c4-bot-9 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L583-L589 https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L609-L631

Vulnerability details

Impact

The current implementation allows for the initiation and execution of flash loans even when the protocol is paused. This oversight can lead to exploitation where attackers might take advantage of the protocol's paused state to manipulate or extract value in unintended ways, potentially destabilizing the system or causing financial loss.

Proof of Concept

The vulnerability exists due to the lack of a pausing mechanism check in the flashLoan function and the maxFlashLoan value retrieval. This allows users to query the maximum flash loan amount and execute flash loans even when the protocol is paused, which could lead to unexpected behavior or exploitation under paused state conditions.

Tools Used

Manual

Recommended Mitigation Steps

To mitigate this issue, it's crucial to ensure that the protocol's paused state is respected across all sensitive operations, including flash loans. This can be achieved by adding a whenNotPaused modifier (or a similar mechanism) to both the maxFlashLoan and flashLoan functions, ensuring that these operations can only be executed when the protocol is active and not paused. The modifier should enforce that any attempt to perform these operations while the protocol is paused will revert, thus upholding the intended security measures during paused states.

Adding the whenNotPaused modifier to the maxFlashLoan and flashLoan functions would look something like this:

function maxFlashLoan(address _token) public view whenNotPaused returns (uint256) {
    // existing implementation
}

function flashLoan(
    IERC3156FlashBorrower _receiver,
    address _token,
    uint256 _amount,
    bytes calldata _data
) external override whenNotPaused returns (bool) {
    // existing implementation
}

Assessed type

Context

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as duplicate of #7

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as sufficient quality report

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid