Section 6 Thunderloan - recommended mitigation in Price Oracle Manipulation Finding

[Nihavent]

Really enjoying the course so far, thanks for putting this together.

Regarding the issue we found in this project of 'price oracle manipulation resulting in reduced flashloan fees', the recommended mitigation is to not use the price of a pool as an oracle. Instead it is suggested to use Chainlink price feed.

I am wondering why the fee calculation needs has a dependancy on external price fees at all?

Couldn't the protocol just expect the borrower to repay an extra s_flashLoanFee / s_feePrecision (initially set to 0.03%) of the underlying asset? Because this is a percentage fee, instead of a flat fee in weth equivalent, the underlying price of the asset doesn't matter if we always take 0.03%.

Maybe I'm overthinking this and it was put here to demonstrate an attack vector, but thought I'd open the discussion anyway!

[PatrickAlphaC]

This is a great suggestion!

This ideally is a much better architecture for the protocol, however, we will often try to give recommendations based on what the protocol wants to do - and they said they want to price loans as they said.

For me, I'd still probably make the same recommendation you did additionally.

...also, I made the code like this to show this kind of exploit ahah