Root + Impact

Description

• The createLeveragedPosition() function transfers user collateral into the contract using IERC20.transferFrom() before initiating a flash loan and opening a leveraged position. The function assumes that the token transfer succeeds and proceeds with flash loan execution.

• The ERC20 transferFrom() return value is not checked. Some non-standard ERC20 tokens return false instead of reverting on failure. In such cases, the transfer may silently fail while execution continues, leading to incorrect assumptions about collateral balance and potentially breaking leverage logic.

Risk

Likelihood: MEDIUM

• This occurs when interacting with non-standard ERC20 tokens that return false instead of reverting.

• This occurs when a malicious or poorly implemented token is supplied as _flashLoanToken.

Impact: MEDIUM

• Collateral may not actually be transferred while the function continues execution.

• Flash loan logic may proceed with incorrect accounting assumptions, potentially leading to failed repayment, inconsistent state, or broken leverage positions.

Proof of Concept

A malicious ERC20 token can override transferFrom() to always return false without reverting.

Attack scenario:

1. Owner calls createLeveragedPosition() using the malicious token.

2. transferFrom() returns false.

3. The function does not check the return value.

4. Flash loan is initiated assuming collateral was received.

5. Position logic executes with incorrect token balance assumptions.

   
   

Recommended Mitigation

Use OpenZeppelin's SafeERC20 library to safely handle ERC20 transfers and ensure failures revert properly.

Mitigation Explanation

• safeTransferFrom() reverts when the token returns false or behaves non-standardly.

• Prevents silent failures.

• Ensures leverage logic only executes after successful collateral transfer.

• Protects against malicious or incorrectly implemented ERC20 tokens.