Open hats-bug-reporter[bot] opened 8 months ago
I don't think this one is true - we need to approve the aave POOL to pull tokens, as it does at the end of the flashloan.
If you remove the line as you suggest then re-running tests shows failures:
forge test --mc StEth
You are totally right, my bad. It is invalid.
In the following line, I misunderstood that msg.sender
(flashLoanProvider
) was the actual pool providing the flashloan (instead of the origami flashloan provider), and that the loan was already repaid after that line.
// Transfer the total flashloan amount + fee back to the `flashLoanProvider` for repayment
@> _debtToken.safeTransfer(msg.sender, amount+fee);
I should have changed the line and run the tests myself, sorry.
Github username: @JacoboLansac Twitter username: jacolansac Submission hash (on-chain): 0xcb3eb220e001344633da7e393119832ae4512bd11117ffe8b3cb3b42c67df090 Severity: low
Description: When the
FlashLoanProvider
handles a flashloan callback with theexecuteOperation()
function, there is aforceApprove()
statement to approve the Aave pool to spend_flAmount+flFees
from theFlashLoanProvider
contract:However, this approval is unnecessary, because the funds are transferred to the
flReceiver
just in the previous line (so the flash-loaned tokens are not in this contract anymore). Moreover, the flashloan + fees are repaid by theflReceiver
, as can be seen at the end ofOrigamiLovTokenFlashAndBorrowManager:flashLoanCallback()
:This means that at the end of each
executeOperation()
call, there will be dandling approvals to the Aave pool contract to spend theflashloan+fees
tokens on behalf of theFlashLoanProvider
contract.Impact: low
The impact is low for two reasons:
FlashLoanProvider
for more than one transaction, so there is nothing to stealRecommendation
I would still recommend removing this approval, in case some other changes made to the code could suddenly make this dandling approval not-harmless