043.md

Obedient Lava Monkey

Medium

Insufficient liquidity check in flash loan validation enables reserve depletion

Summary:

The lack of an available liquidity check in validateFlashloanSimple (line where flash loan validation occurs) will cause reserve depletion for the protocol as an attacker will bypass liquidity constraints and execute a flash loan exceeding available liquidity.

---

Root Cause:

In ValidationLogic.validateFlashloanSimple line where !configuration.getIsVirtualAccActive() is checked, the validation incorrectly relies on totalSupply instead of verifying availableLiquidity.

---

Internal Pre-conditions:

1. A reserve needs to have a getIsVirtualAccActive flag set to true.
2. The reserve's total supply must be greater than or equal to the flash loan request, but the availableLiquidity is insufficient.

---

External Pre-conditions:

1. The attacker has the ability to call the flashLoan function for the affected reserve.

---

Attack Path:

1. The attacker calls the protocol’s flashLoan function with an amount exceeding the reserve's availableLiquidity.
2. The protocol validates the request using totalSupply rather than availableLiquidity.
3. The protocol erroneously approves the flash loan, draining liquidity and destabilizing the reserve.

---

Impact:

The protocol suffers potential insolvency, leaving users unable to withdraw or borrow from the reserve.

---

Mitigation:

Replace the totalSupply check in validateFlashloanSimple with a check against availableLiquidity to ensure the requested flash loan amount is backed by sufficient liquidity in the reserve.