Incorrect Implementation of ERC-3156 maxFlashLoan Function
Closed this issue · 0 comments
c4-bot-4 commented
Lines of code
Vulnerability details
Vulnerability Details
The Flashlender contract implements the ERC-3156 Flash Loan standard. However, its implementation of the maxFlashLoan function does not fully comply with the standard's requirements and may provide misleading information to users.
- The current implementation returns the borrowable amount for the Flashlender contract itself, rather than the actual maximum flash loan amount available in the pool.
- It implicitly returns 0 for unsupported tokens instead of explicitly doing so.
- The function doesn't accurately represent the total available liquidity for flash loans.
Code Snippet
function maxFlashLoan(address token) external view override returns (uint256 max) {
if (token == address(underlyingToken)) {
max = pool.creditManagerBorrowable(address(this));
}
}Impact
- Users may receive incorrect information about the maximum flash loan amount available.
- This could lead to failed transactions if users attempt to borrow more than what's actually available.
- The contract doesn't fully comply with the ERC-3156 standard, potentially causing integration issues with other systems expecting standard-compliant behavior.
Scenario
Consider a scenario where the pool has 1,000,000 tokens available for flash loans, but the Flashlender contract's credit limit is only 100,000 tokens. A user querying maxFlashLoan would receive 100,000 as the maximum, even though they could potentially borrow up to 1,000,000 tokens in a flash loan from the pool.
Fix
Implement the maxFlashLoan function to return the actual maximum flash loan amount available in the pool:
Assessed type
Context