First Flight #3: Thunder Loan

Summary

The getCalculatedFee function in the contract has a potential issue where it calculates the flash loan fee without considering the token's decimals. This oversight leads to incorrect fee calculations during flash loans. To ensure accurate results, the fee calculation should take the token's decimals into account.

Vulnerability Details

In contract, the getCalculatedFee function calculates a fee for flash loans using:

The issue here is that the calculation of valueOfBorrowedToken doesn't consider the token's decimals, and this may lead to incorrect fee calculations. Tokens can have different decimal places (e.g., some tokens have 18 decimals, while others have 6 or different numbers), and failing to account for these decimals can result in fee miscalculations.

Impact

The impact of the invalid token fee calculation issue can be significant:

• Incorrect Fee Calculation: Without considering the token's decimals, the calculated fee may be inaccurate, leading to users being charged incorrect fees during flash loans.

• Financial Loss: Users relying on accurate fee calculations may experience financial losses due to miscalculated fees.

Tools Used

Manual / VsCode

Recommendations

To address the invalid token fee calculation issue:

1. Token Decimals Consideration: Modify the getCalculatedFee function to account for the token's decimals when calculating the fee. You should use the decimals property of the token to correctly adjust the calculation.

   Example:

   function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) {

   uint8 decimals = IERC20Metadata(address(token)).decimals();

   uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / (10**decimals);

   fee = (valueOfBorrowedToken * s_flashLoanFee) / (10**decimals);

   }