Skip to content

Latest commit

 

History

History
50 lines (34 loc) · 2.89 KB

080.md

File metadata and controls

50 lines (34 loc) · 2.89 KB

Obedient Lava Monkey

Medium

Missing liquidity check in validateFlashloan will cause a denial of service for protocol users as malicious actors request excessive flashloans

Summary

The missing check for sufficient liquidity in validateFlashloanSimple will cause transaction reverts for protocol users as malicious actors request flashloans exceeding reserve liquidity.

Root Cause

In ValidationLogic.sol, the validateFlashloanSimple function lacks a check to ensure the requested flashloan amount does not exceed the liquidity held by the reserve’s aToken. While the function validates the reserve's active status, paused state, and flashloan enablement, it fails to confirm if the reserve has sufficient balance to execute the loan, leading to downstream transaction failures when liquidity is insufficient. The check IERC20(reserve.aTokenAddress).totalSupply() >= amount is insufficient because totalSupply includes both available liquidity and borrowed funds, while flashloans rely solely on the available liquidity in the reserve. This means the check could falsely pass even when the reserve does not have enough unborrowed funds, leading to transaction reverts when the flashloan cannot be fulfilled. Instead, the check must use the reserve’s actual balance: IERC20(reserve.aTokenAddress).balanceOf(address(reserve.aTokenAddress)).

Internal Pre-conditions

  1. A reserve's aToken contract holds less liquidity than the flashloan amount requested.
  2. A user or actor calls validateFlashloan with amount > available liquidity.

External Pre-conditions

  1. There is no external limitation (such as input validation) on the flashloan amount requested by the user.

Attack Path

  1. A malicious actor calls the protocol's flashLoan function and requests an excessive amount (greater than the reserve’s available liquidity).
  2. The flashloan proceeds to validation, bypasses validateFlashloanSimple, and fails downstream during transfer attempts due to insufficient funds.
  3. The transaction reverts, causing disruption for legitimate users.

Impact

  • Protocol Impact: The protocol suffers degraded usability and reliability, as legitimate users face transaction failures.
  • User Impact: Users attempting flashloans will experience unnecessary gas loss due to revert behavior caused by an excessive flashloan request.

Mitigation

Add a liquidity check in validateFlashloanSimple to ensure that the flashloan amount does not exceed the reserve's available liquidity:

require(
  IERC20(reserve.underlyingAsset).balanceOf(poolAddress) >= amount,
  Errors.INSUFFICIENT_AVAILABLE_LIQUIDITY
);