Supplied token isn't validated as an allowed AssetToken in flashLoan function, thus causing the function to fail.
Summary
Missing validation of supplied token in flashLoan function causes the function to fail when unsupported token is provided.
Vulnerability Details
AssetToken assetToken = s_tokenToAssetToken[token];
The above line in the flashloan function is meant to return a corresponding asset token for a supplied ERC20 token, but fails to revert if an unallowed token is provided and instead returns a zero address as is the default behavior in solidity when a mapping to an address is queried with a non-existent key. In the uint256 fee = getCalculatedFee(token, amount); the function will abruptly revert as it will try to call getPriceOfOnePoolTokenInWeth() on the returned zero address which is invalid.
Impact
User is unable to execute a flashloan and no valid error/reason is returned
Tools Used
Manual Review
Recommendations
Add the following line of code if(!isAllowedToken(token)) revert ThunderLoan__NotAllowedToken(token); to the flash loan function and to the getCalculatedFee function to allow the functions revert with a proper error when an unsupported token is supplied
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.