Nested same-token flashloans can desync boolean loan state and break outer repay path
Root + Impact
Description
Normal behavior: nested loan behavior should either be safely supported or clearly rejected before callback execution.
Issue: a single boolean s_currentlyFlashLoaning[token] tracks loan state. In nested same-token loans, inner completion sets flag false before outer callback ends, causing outer repay() to revert with NotCurrentlyFlashLoaning.
Risk (Likelihood/Impact)
Likelihood:
Triggered by nested same-token integrations.
Current state model uses one boolean instead of loan-depth/context tracking.
Impact:
Liveness/integration fragility for nested callbacks.
Not demonstrated as direct theft in validated PoC, but repay pathway fails.
Proof of Concept
Validated PoC: test/audit/ThirdPassDelta.t.sol::test_I01_NestedSameTokenFlashloan_RepayPathStateDesyncReverts (PASS).
Recommended Mitigation
Track per-token loan depth counter or per-loan context IDs.
Alternatively disallow nested same-token flashloans with explicit upfront revert.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.