Lambo.win
threadmodelingFinding description and impact
The protocol allows whitelisted users to call takeLoan, which is invoked during the createLaunchPad function. Since there is no mechanism to limit virtualLiquidityAmount in the call to createLaunchPad (and therefore to takeLoan), a whitelisted user can deliberately grief another user by consuming the maximum loanable amount (MAX_LOAN_PER_BLOCK) before the target user’s call to createLaunchPad. This prevents the createLaunchPad function from succeeding during that block.
Proof of Concept
See @audit tags
File: LamboFactory.sol 65: function createLaunchPad( 66: string memory name, 67: string memory tickname, 68: uint256 virtualLiquidityAmount, //@audit an arbitrary amount can be used without any cost 69: address virtualLiquidityToken 70: ) public onlyWhiteListed(virtualLiquidityToken) nonReentrant returns (address quoteToken, address pool) { ... 74: VirtualToken(virtualLiquidityToken).takeLoan(pool, virtualLiquidityAmount); //@audit this can grief all subsequent users in the same block
function takeLoan(address to, uint256 amount) external payable onlyValidFactory { if (block.number > lastLoanBlock) { lastLoanBlock = block.number; loanedAmountThisBlock = 0; } require(loanedAmountThisBlock + amount <= MAX_LOAN_PER_BLOCK, "Loan limit per block exceeded"); // @audit given that this shared among users, this can be used as a grief vector
Recommended mitigation steps
Add a maximum for virtualLiquidityAmount in createLaunchPad