You should not calculate the flash loan fee in terms of WETH since it is paid in the token that is borrowed. This leads to an incorrect calculation of the fee.
Summary
The flash loan fee is .3% of the amount of tokens borrowed, and you pay the fee in the token borrowed (and this setup works because every underlying token has its own AssetToken contract). But getCalculatedFee figures the fee in terms of WETH by multiplying the amount of tokens borrowed by the token's price in WETH. This isn't necessary given that you just need to multiply the amount of tokens borrowed times .003 (with appropriate adjustments for decimals) and, further, it actually results in an incorrect amount of fees. This might be necessary if fees were paid in ETH or if you were combining the returns of multiple tokens into one asset token, but that is not how the contract is configured.
Vulnerability Details
getCalculatedFee calculates the fee in terms of WETH:
Impact
Fees are being calculated incorrectly. Given that the depositors are paid based on fees, it is important to get the calculation right. Also, because the price of these tokens in terms of WETH is pretty low, you could end up with valueofBorrowedToken equaling less than 1 and being rounded down to 0, which would mean depositors would earn nothing for a flash loan and someone would get a free flash loan.
Tools Used
Manual review
Recommendations
Change the function as follows. Note that in another finding I recommended creating a mapping of token addresses to decimals to deal with tokens with different decimals and then calling that mapping for the precision decimals instead of one hard coded s_feePrecision but I did not reflect that here:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.