[M-1] No set fee range
Summary
In ThunderLoan.sol:197, the function updateFlashLoanFee is meant to update the fee for flash loans. The condition if (newFee > s_feePrecision) is intended to check if the new fee percentage exceeds 100% (as s_feePrecision represents a full ratio in wei), but this does not account for a valid range of fee values and may lead to potential rejection of valid fee updates or acceptance of invalid ones.
Vulnerability Details
Vulnerable Code:
Impact
The impact of this vulnerability is potentially high, as it could prevent the owner from setting a valid flash loan fee or mistakenly allow an excessively high fee setting, impacting the functionality and economic model of the lending protocol. Furthermore, users could be discouraged from using the platform due to incorrect or excessive fees, directly affecting the platform's adoption and trust.
Tools Used
Manual Review
Vs Code
Recommendations
Input validation for
newFee: Ensure that thenewFeeis validated against a reasonable range, considering both the lower and upper fee limits, and taking into account the precision scaling used in calculations.Restructure fee checks: Instead of comparing
newFeewiths_feePrecision, the contract should explicitly check for the maximum allowed fee percentage, ensuring it doesn't exceed a rational maximum threshold, e.g., 10%.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.