The deposit
function calls getCalculatedFee
on the depositor's inputs of token and amount and then calls assetToken.getExchangeRate(calculatedFee)
. This is acting as if the depositor is being charged a fee that is then accruing to assetToken, but in fact the only people who are supposed to be charged fees are the people taking flash loans. The depositor does not pay a fee. Therefore, this is throwing off the calculation of the exchange rate.
The deposit
function calculates a fee using the depositor's inputs and then updates the exchange rate using that calculated fee:
This incorrectly drives up the exchange rate by acting as if fees are earned from deposits when they are not. This can result in depositors getting more or less tokens than they should when they deposit and redeem.
Manual review
I wrote this test to show that the exchange rate will increase upon a deposit even if no flash loans have been made, which makes no sense because no extra value is accruing to each asset token share. Because the exchange rate is driven artificially high, it can mean that future depositors/redeemers can end up with more or less tokens than they deserve.
The deposit function shouldn't call getCalculatedFee, so I recommend removing the line. Also, I recommend removing the call to updateExchangeRate
as well. I explained in another finding why I recommend not using the exchange rate concept for purposes of calculating how many tokens/asset tokens depositors get for deposits and redemptions.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.