The flashloan() function is intended to operate only on approved tokens that have been explicitly added via setAllowedToken.
However, the function does not enforce this requirement and directly fetches the AssetToken from the mapping without verifying that the token is allowed.
If the token is not allowed:
assetToken will be address(0)
The function continues execution until it later interacts with this invalid reference
Likelihood:
Function is externally callable with arbitrary token addresses
No early validation ensures only approved tokens are used
Impact:
Unintended tokens can be passed into the flashloan flow
Execution reverts later in the function rather than failing early
Leads to poor validation design and unnecessary gas consumption
Call flashloan with a non-approved token:
Behavior:
assetToken = address(0)
Function proceeds
Reverts when calling:
Add explicit validation to ensure only allowed tokens are used
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.