28713 - [SC - Insight] Reentrancy on BorrowerOperations allows users t...
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Feb 24th 2024 at 19:57:39 UTC by @shanb1605 for
Report ID: #28713
Report type: Smart Contract
Report severity: Insight
Target: https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/BorrowerOperations.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Permalink: https://github.com/ebtc-protocol/ebtc/blob/a96bd000c23425f04c3223a441a625bfb21f6686/packages/contracts/contracts/BorrowerOperations.sol#L1091
The flashLoan()
allows users to borrow ebtc on BorrowerOperations. The amount that can be borrowed is limited to maxFlashLoan(token) means one can borrow within the maximum limit of the amount. This limit can be bypassed with a reentrant call on the flashLoan()
function.
The BorrowerOperations contract misses reentrancy protection on flashLoan() which leads to borrowing over the max borrowing limit of the token.
Contract fails to deliver promised returns, but doesn't lose value: The contract promises to lend within the maximum flash loan amount to the users. However, the malicious users can re-enter the flashloan()
function and borrow above the maximum limit. Hence, the contract fails to deliver the promise.
MakerDao has Reentrancy Protection on the FlashLoan module: https://github.com/makerdao/dss-flash/blob/9d492aa6148c35f568400a1ab85cd6df43b2ccc8/src/flash.sol#L74
https://github.com/makerdao/dss-flash/blob/9d492aa6148c35f568400a1ab85cd6df43b2ccc8/src/flash.sol#L137
First call_Flashloan()
is executed to borrow the max amount of ebtc.
Inside onFlashLoan
some_actions()
will executed to borrow again the ebtc from the BorrowerOperations contract.
It sets attack_done = true
to prevent an unbounded loop.
Further actions will be carried out with the Flash Loan amount.