Skip to content

Latest commit

 

History

History
97 lines (64 loc) · 4.07 KB

071.md

File metadata and controls

97 lines (64 loc) · 4.07 KB

Glamorous Plum Baboon

Medium

Insufficient Validation in Flashloan Parameters

Summary

The ValidationLogic:validateFlashloan function in lacks sufficient validation for the parameters passed during a flashloan call. Specifically, the function does not check whether the loan amount for each asset (amounts[i]) is greater than zero or if the supplied assets (assets[i]) are valid reserve assets in the contract's reservesData.

Description

The function validateFlashloan currently includes a basic check to ensure the consistency of array lengths for assets and amounts using the following line:

require(assets.length == amounts.length, Errors.INCONSISTENT_FLASHLOAN_PARAMS);

However, the function does not validate the following critical conditions:

  1. Non-zero Loan Amounts: The contract does not verify that amounts[i] > 0, potentially allowing a flashloan call with zero amounts. This could lead to unnecessary gas consumption or unexpected contract behavior.
  2. Asset Validity: The contract does not confirm that the assets specified in the assets array exist as valid reserve assets within the reservesData mapping. An invalid or unrecognized asset could cause issues downstream in the flashloan logic.

Both of these missing validations expose the contract to potential misuse or unintended outcomes.

Root Cause

The root cause is the insufficient validation of parameters within the validateFlashloan function. Specifically, the following checks are missing:

  1. Verification that amounts[i] > 0 for all i.
  2. Verification that assets[i] exists within the reservesData mapping.

Relevant code snippet:

require(assets.length == amounts.length, Errors.INCONSISTENT_FLASHLOAN_PARAMS);

https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/protocol/libraries/logic/ValidationLogic.sol#L333-L345

Impact

  • Gas Wastage: Allowing zero loan amounts leads to gas being consumed for flashloan requests that serve no real purpose.
  • Potential Exploits: The absence of asset validity checks increases the risk of erroneous behavior or contract execution failures if invalid assets are passed as parameters.
  • Degraded User Experience: Malfunctioning flashloan operations could reduce user trust in the platform and its security measures.

Proof of Concept (PoC)

The following example demonstrates how the current implementation can be exploited:

  1. Call the flashloan function with the following parameters: 
    assets = [0x0000000000000000000000000000000000000000]; // Invalid asset  
amounts = [0]; // Zero amount
  2. The call will pass the current validateFlashloan check since the lengths of assets and amounts match, but the logic downstream could fail due to the invalid parameters.

Recommended Mitigation

To fix the issue, add the following checks to the validateFlashloan function:

  1. Verify that each amount is greater than zero:

    require(amounts[i] > 0, Errors.INVALID_FLASHLOAN_AMOUNT);

  2. Ensure that each asset is a valid reserve asset in reservesData:

    require(reservesData[assets[i]].isActive, Errors.INVALID_RESERVE_ASSET);

Revised validateFlashloan function:

function validateFlashloan(address[] memory assets, uint256[] memory amounts) internal view {  
    require(assets.length == amounts.length, Errors.INCONSISTENT_FLASHLOAN_PARAMS);  

    for (uint256 i = 0; i < assets.length; i++) {  
        require(amounts[i] > 0, Errors.INVALID_FLASHLOAN_AMOUNT);  
        require(reservesData[assets[i]].isActive, Errors.INVALID_RESERVE_ASSET);  
    }  
}

By implementing these additional checks, the contract will enforce stricter validation on flashloan parameters, thereby improving security and preventing misuse.

This mitigation ensures that the contract is safeguarded against the risks identified and enforces better parameter integrity for flashloan operations.