Omniscia DAFI Protocol Audit

DAFIPlatform Manual Review Findings

DAI-01M: Flash-Loan Susceptibility

Type	Severity	Location
Logical Fault	Medium	DAFIPlatform.sol:L34-L38

Description:

The getdToken function detects the balance of a user of a particular currency to create their d prefixed token amount which is susceptible to a flash loan whereby a user acquires an excessive amount of funds to specify a very high _balance which will not represent their real balance.

Example:

contracts/DAFIPlatform.sol

34function getdToken(string memory _type, uint256 _balance) public payable {
35    require (msg.value == 5000000000000000000,"Fee amount is not valid");
36    DAFIContract.getdToken(_type,_balance,msg.sender);
37    wallet.transfer(msg.value);
38}

Recommendation:

We advise the snap-shotting mechanism to be assessed and some form of protection against flash loans to be introduced.

Alleviation:

We discussed the issue with the DAFI team and concluded that the ideal approach would be to prohibit non-EOA actors to interact with the contract to prevent such a flash-loan scenario from unfolding. This was achieved by introducing the require(msg.sender == tx.origin) evaluation that ensures the caller of the function is in fact the transaction's creator. This security measure will not be applicable beyond the London fork of Ethereum which changes the behaviour of tx.origin, however, the ability to mint new tokens will have been disabled by then.

Omniscia DAFI Protocol Audit

DAFIPlatform Manual Review Findings

DAFIPlatform Manual Review Findings

DAI-01M: Flash-Loan Susceptibility

Description:

Example:

Recommendation:

Alleviation:

DAFI.sol (DAF-M)

Data.sol (DAT-M)

On this page