The GSPTrader.sol contract is vulnerable to a flash loan exploit due to the public accessibility of the sync function in GSPVault.sol. This vulnerability allows a user to manipulate the contract state during a flash loan, potentially leading to the theft of funds.
Vulnerability Detail
The flash loan function in GSPTrader.sol can be exploited through the following steps:
The user obtains a flash loan.
The user calls the public sync function in GSPVault.sol, which synchronizes the reserves with the current token balances.
The user repays the flash loan with the exact _MT_FEE_BASE_ and _MT_FEE_QUOTE_ token amounts.
The require check in GSPTrader.sol passes because the balances match the reserves, allowing the flash loan to be successfully completed without actually returning the borrowed funds.
This exploit is made possible because the sync function can be called by any user, allowing them to manipulate the reserve balances during the flash loan process.
Impact
This vulnerability can lead to the theft of funds from the contract, as users can exploit the flash loan mechanism to withdraw more tokens than they return. It undermines the security and integrity of the flash loan process and the contract as a whole.
Restrict the access to the sync function in GSPVault.sol to prevent it from being called by unauthorized users. This can be achieved by adding an access control mechanism, such as an onlyOwner or onlyAuthorized modifier.
By limiting the public accessibility of the sync function, the contract can prevent malicious actors from manipulating the reserve balances during a flash loan, thereby safeguarding the funds and maintaining the integrity of the flash loan process.
mike-watson
high
Flash loan borrower can steal funds
Summary
The
GSPTrader.sol
contract is vulnerable to a flash loan exploit due to the public accessibility of thesync
function inGSPVault.sol
. This vulnerability allows a user to manipulate the contract state during a flash loan, potentially leading to the theft of funds.Vulnerability Detail
The flash loan function in
GSPTrader.sol
can be exploited through the following steps:sync
function inGSPVault.sol
, which synchronizes the reserves with the current token balances._MT_FEE_BASE_
and_MT_FEE_QUOTE_
token amounts.require
check inGSPTrader.sol
passes because the balances match the reserves, allowing the flash loan to be successfully completed without actually returning the borrowed funds.This exploit is made possible because the
sync
function can be called by any user, allowing them to manipulate the reserve balances during the flash loan process.Impact
This vulnerability can lead to the theft of funds from the contract, as users can exploit the flash loan mechanism to withdraw more tokens than they return. It undermines the security and integrity of the flash loan process and the contract as a whole.
Code Snippet
Relevant Code Section in
GSPVault.sol
:POC exploit code - paste it in GPSTrader.t.sol
Tool used
Manual Review
Recommendation
Restrict the access to the sync function in GSPVault.sol to prevent it from being called by unauthorized users. This can be achieved by adding an access control mechanism, such as an onlyOwner or onlyAuthorized modifier. By limiting the public accessibility of the sync function, the contract can prevent malicious actors from manipulating the reserve balances during a flash loan, thereby safeguarding the funds and maintaining the integrity of the flash loan process.
Duplicate of #42