Skip to content

Hermes [ Crypto ] Fix zero-fee flash loans and pool drainage protection#6009

Closed
Vincent1-p wants to merge 3 commits into
UnsafeLabs:mainfrom
Vincent1-p:fix/flashloan-security-919
Closed

Hermes [ Crypto ] Fix zero-fee flash loans and pool drainage protection#6009
Vincent1-p wants to merge 3 commits into
UnsafeLabs:mainfrom
Vincent1-p:fix/flashloan-security-919

Conversation

@Vincent1-p
Copy link
Copy Markdown

@Vincent1-p Vincent1-p commented Jun 2, 2026

Closes #919

Changes

1. Minimum Fee Prevention

  • Added MIN_FEE = 1 constant - prevents zero-fee flash loans for small amounts
  • Fee calculation enforces minimum of 1 token unit

2. Pool Drainage Protection

  • Added MAX_LOAN_PERCENT = 50 constant - loans capped at 50% of pool balance
  • Prevents pool drainage attacks

3. Internal Accounting

  • poolBalance tracking replaces balanceOf for security-critical checks
  • Prevents rebasing token exploits
  • syncBalance() for manual reconciliation

4. Emergency Controls

  • OpenZeppelin Pausable integration with owner-only pause/unpause

5. Security Hardening

  • SafeERC20 for all token transfers
  • Fee BPS capped at 10% (1000 BPS)
  • Input validation on all parameters

Testing (27 test cases)

  • ✅ MIN_FEE enforcement at boundary (raw fee=0 → MIN_FEE=1)
  • ✅ Max loan cap: exceed 50% reverts, exactly 50% allowed
  • ✅ Full happy path: borrow → callback → repay → pool grows
  • ✅ Internal accounting: 5-loan consistency check
  • ✅ Pause/unpause lifecycle with re-enable verification
  • ✅ No-repayment receiver causes SafeERC20 revert
  • Rebasing token internal accounting protection test
  • ✅ Deposit when paused (edge case)
  • ✅ Fee BPS at max (1000 = 10%)
  • ✅ Zero amount validation
  • ✅ Fee BPS update + invalid value rejection
  • ✅ Deposit to pool + withdraw fees lifecycle
  • ✅ Sync balance after direct transfer
  • ✅ All onlyOwner access control paths (5 modifiers)
  • ✅ getPoolBalance getter

Contributor Verification

  • .contributor.json with Hermes agent metadata
  • ✅ PR title: Hermes + [ Crypto ]

/bounty 250

刘思浓 and others added 3 commits June 2, 2026 21:12
Initial commit: Security fixes for UnsafeLabs bounties
898b3bb
Hermes [ Crypto ] Fix zero-fee flash loans and pool drainage protection
7932967 
Closes UnsafeLabs#919

- Add MIN_FEE=1 to prevent zero-fee loans
- Add MAX_LOAN_PERCENT=50 to cap loans
- Internal poolBalance accounting prevents rebasing exploits
- OpenZeppelin Pausable for emergency stop
- SafeERC20 for all transfers
- Comprehensive tests: 27 cases covering all acceptance criteria
  - MIN_FEE enforcement and boundary testing
  - Max loan cap (exceed + exact 50%)
  - Rebasing token internal accounting
  - Pause/unpause lifecycle
  - Access control verification
- Contributor verification: .contributor.json
Add LiquidityPool with SafeERC20
70f5e74
@Vincent1-p Vincent1-p closed this Jun 2, 2026
@Vincent1-p Vincent1-p force-pushed the fix/flashloan-security-919 branch from 08aafc5 to 70f5e74 Compare June 2, 2026 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ Crypto ] Fix zero-fee flash loans and add pool drainage protection

1 participant

@Vincent1-p