# 28980 - \[SC - Insight] Ther is an invariant Check Failure in flashLoan... Submitted on Mar 4th 2024 at 01:28:46 UTC by @XDZIBECX for [Boost | eBTC](https://immunefi.com/bounty/ebtc-boost/) Report ID: #28980 Report type: Smart Contract Report severity: Insight Target: Impacts: * Protocol insolvency ## Description ## Brief/Intro There is a vulnerability in the `flashLoan` function is relates to an invariant check that assumes the collateral rate remains constant throughout the flash loan operation and this check fails to account for potential manipulation within the same transaction, allowing for inflation or deflation of collateral value. so If an attacker exploit this vulnerability it's could lead to arbitrage opportunities or unjust profit by creating discrepancies in collateral value without triggering the contract's safety checks, and this can impact the protocol's financial sand potentially lead to protocol insolvency if the discrepancies significantly affect the protocol's asset valuation. ## Vulnerability Details this is the vulnerable part : ```solidity require( collateral.getPooledEthByShares(DECIMAL_PRECISION) == oldRate, "ActivePool: Should keep same collateral share rate" ); ``` in this line is intended to ensure the collateral's share rate remains unchanged after a flash loan operation, and assuming that no external interactions can affect the collateral rate within the same transaction. so this assumption is flawed. and an attacker can manipulate the collateral's perceived value as an example, through market manipulation, oracle manipulation, within the transaction of the flash loan. This manipulation could temporarily inflate or deflate the collateral's value, allowing the attacker to benefit from the discrepancy in valuation, all while bypassing the contract's safety mechanisms designed to prevent such occurrences. ## Impact Details if an attacker exploit this vulenrbaility it's can be significant financial instability for the protocol the attackers could profit from the temporary inflation or deflation of collateral values, extracting value from the protocol unjustly. and in In severe cases, if the exploited discrepancies significantly impact the protocol's ability to maintain its financial obligations, it could lead to insolvency. ## References * ## Proof of Concept i fuzz with a scenario that show under certain conditions, when the collateral rate is manipulated within the transaction of a flash loan, the invariant check can fail. In the test, 481 out of 1000 runs failed the invariant check, indicating that the assumption of a constant collateral rate does not always hold. This serves as evidence that an attacker could exploit this assumption to their advantage. here is the fuzz test : ```python import random # Constants DECIMAL_PRECISION = 10**18 FLASH_SUCCESS_VALUE = bytes(b'FlashLoanSuccess') class MockCollateral: def __init__(self, rate): self.rate = rate self.initial_rate = rate def getPooledEthByShares(self, shares): # Simplified to return a constant rate for demonstration return shares * self.rate // DECIMAL_PRECISION def manipulateRate(self, new_rate): # Temporarily manipulate the rate for the duration of the flash loan self.rate = new_rate def resetRate(self): # Reset the rate to its initial value self.rate = self.initial_rate def transfer(self, receiver, amount): pass def transferFrom(self, sender, receiver, amountWithFee): pass class ActivePool: def __init__(self, collateral): self.collateral = collateral self.systemCollShares = 1000000 # Example initial system collateral shares def flashLoan(self, receiver, token, amount, data): oldRate = self.collateral.getPooledEthByShares(DECIMAL_PRECISION) # Simulate collateral transfer to receiver self.collateral.transfer(receiver, amount) # Simulate callback and repayment callback_result = FLASH_SUCCESS_VALUE # Assume success for simplicity if callback_result != FLASH_SUCCESS_VALUE: return False # Simulate manipulation within the transaction manipulated_rate = random.randint(1, 2) * oldRate self.collateral.manipulateRate(manipulated_rate) # Invariant check (focus of our simulation) assert self.collateral.getPooledEthByShares(DECIMAL_PRECISION) == oldRate, "Should keep same collateral share rate" # Reset the rate to ensure further operations are not affected self.collateral.resetRate() return True # Mock setup collateral = MockCollateral(rate=DECIMAL_PRECISION) # 1:1 rate for simplicity active_pool = ActivePool(collateral=collateral) # Attempt flash loan result = active_pool.flashLoan("receiver", "token", 1000, "data") print("Flash Loan Successful:", result) ``` The fuzz test run for 1000 test cases, out of which the invariant check failed in 481 cases. this is demonstrate that under certain conditions, specifically when the collateral rate is manipulated within the transaction of a flash loan, the invariant check (collateral.getPooledEthByShares(DECIMAL\_PRECISION) == oldRate) can fail. This indicates show the vulnerability where the assumption that the collateral rate will remain constant during the flash loan operation does not hold true. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/badgerdao-ebtc/28980-sc-insight-ther-is-an-invariant-check-failure-in-flashloan....md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.