Assessment reports>Prisma Finance>Threat Models>flashLoan

Function: flashLoan(IERC3156FlashBorrower receiver, address token, uint256 amount, byte[] data)

This function is used to flash loan debt tokens.

Inputs

  • receiver

    • Control: Fully controlled.

    • Constraints: Receiver should be a valid ERC3156FlashBorrower contract.

    • Impact: Receiver of the flash loan.

  • token

    • Control: Fully controlled.

    • Constraints: Address of token should be equal to address of this contract.

    • Impact: These tokens will be minted for the flash loan.

  • amount

    • Control: Fully controlled.

    • Constraints: Amount should be less than the max flash loan amount.

    • Impact: The amount of tokens to be provided as a flash loan.

  • data

    • Control: Fully controlled.

    • Constraints: No constraints.

    • Impact: N/A.

Branches and code coverage (including function calls)

Intended branches

  • The amount of flash loan requested is minted to the receiver.

  • The call receiver.onFlashLoan returns the correct return value.

  • The amount requested is burned after the flash loan is complete, and the fee is transferred to the fee receiver.

Negative behavior

  • Revert if the token address is not equal to the address of this contract.

  • Revert if amount exceeds the max flash loan amount.

  • Revert if return value of receiver.onFlashLoan is not equal to _RETURN_VALUE.

  • Revert if tokens cannott be burnt from the receiver address.

  • Revert if tokens cannot be transferred to the fee receiver contract.

Function call analysis

  • receiver.onFlashLoan(msg.sender, token, amount, fee, data):

    • What is controllable? msg.sender, token, amount, and data.

    • If return value controllable, how is it used and how can it go wrong? Return value should always be equal to _RETURN_VALUE.

    • What happens if it reverts, reenters, or does other unusual control flow? This function can reenter, but it does not pose a risk because it always preserves the property that the amount minted at the beginning is always recovered and burned at the end, or else the entire function will revert.

Zellic © 2025Back to top ↑