BugHunter101
high
Flashloan._loan() does not need the fee, it will cause protocol loss fund.
As we can see , Flashloan._loan() does not need the fee, just transfer amount
to user, it will cause protocol loss fund.
function _loan(IERC3156FlashBorrower receiver, address token, uint256 amount, bytes memory data, address msgSender)
internal
{
IronBankInterface(ironBank).borrow(address(this), address(receiver), token, amount);
require(receiver.onFlashLoan(msgSender, token, amount, 0, data) == CALLBACK_SUCCESS, "callback failed"); // no fee
IERC20(token).safeTransferFrom(address(receiver), address(this), amount);//@audit
uint256 allowance = IERC20(token).allowance(address(this), ironBank);
if (allowance < amount) {
IERC20(token).safeApprove(ironBank, type(uint256).max);
}
IronBankInterface(ironBank).repay(address(this), address(this), token, amount);
}
it will cause protocol loss fund.
Manual Review
adding fee such using calculate rate.