First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

You should check that depositor has sufficient tokens in their wallet to deposit at the beginning of the deposit function

happyformerlawyer

Summary

There is no check in the deposit function that the depositor has the amount of tokens in their wallet to make the deposit according to the input they provide. The function would eventually revert on the last line when the function tries to take the tokens from their wallet, but there is no reason to wait all the way until the end to revert.

Vulnerability Details

A depositor can input any amount of tokens to deposit regardless of what they actually have:

function deposit(
IERC20 token,
uint256 amount
) external revertIfZero(amount) revertIfNotAllowedToken(token) {
AssetToken assetToken = s_tokenToAssetToken[token];
uint256 exchangeRate = assetToken.getExchangeRate();
uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) /
exchangeRate;
emit Deposit(msg.sender, token, amount);
assetToken.mint(msg.sender, mintAmount);
uint256 calculatedFee = getCalculatedFee(token, amount);
assetToken.updateExchangeRate(calculatedFee);
token.safeTransferFrom(msg.sender, address(assetToken), amount);
}

Impact

It is better to have a check at the beginning that prevents them from trying to deposit more than they have. It is also a waste of gas to process the entire function when they don't have sufficient tokens to deposit.

Tools Used

Manual review

Recommendations

Add a check that amount is not greater than the balance of the token in their wallet:

if(amount > token.balanceOf(msg.sender)) {
revert ThunderLoan__InsufficientTokens();}
Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.