Rich Grey Crocodile - Users can still dilute and steal rewards using an external flashloan

[sherlock-admin2]

Rich Grey Crocodile

Medium

Users can still dilute and steal rewards using an external flashloan

Vulnerability Details

In flashMint of DecentralizedIndex.sol, we can see that shortCircuitRewars is set to true to temporarily prevent the rewards calculation during a flashloan of the pod's native share token to prevent malicious attackers from diluting and stealing the rewards:

function flashMint(address _recipient, uint256 _amount, bytes calldata _data) external override lock {
 -->    _shortCircuitRewards = 1;
        uint256 _fee = _amount / 1000;
        _mint(_recipient, _amount);
        IFlashLoanRecipient(_recipient).callback(_data);
        // Make sure the calling user pays fee of 0.1% more than they flash minted to recipient
        _burn(_recipient, _amount);
        // only adjust _totalSupply by fee amt since we didn't add to supply at mint during flash mint
        _totalSupply -= _fee == 0 ? 1 : _fee;
        _burn(_msgSender(), _fee == 0 ? 1 : _fee);
        _shortCircuitRewards = 0;
        emit FlashMint(_msgSender(), _recipient, _amount);
}

However, from the other files like the leverage folders, we can see that the native pod tokens are often integrated with uniswap pools and fraxlend pairs.

Attack path

So, malicious attackers can still find a way around to carry out the same attack path by using an external pool like uniswap or fraxlend which has the pod's native share token as one of the tokens involved to flashloan and steal the rewards, since shortCircuitRewards will not be set to true in those senarios.

Since shortCircuitRewards is set to false, reward calculations will be triggered and _feeSwap will send the rewards into TokenRewards.sol for distribution which the malicious attacker can steal.

LoC

https://github.com/sherlock-audit/2025-01-peapods-finance/blob/d28eb19f4b39d3db7997477460f9f9c76839cb0c/contracts/contracts/DecentralizedIndex.sol#L425