Hey @albertocuestacanada, great work with EIP-3156.
I was reading the standard, and I stopped at the “Flash lending security considerations” section. I wonder why does it mention an EOA in this context?
If an unsuspecting contract with a non-reverting fallback function, or an EOA, would approve a
lender
implementing ERC3156, and not immediately use the approval …
It is true that the EVM does not revert on calls made to EOAs, but high-level Solidity does. In particular, your reference implementation FlashLender.sol
does:
receiver.onFlashLoan(msg.sender, token, amount, _fee, data) == CALLBACK_SUCCESS,
Where receiver
is a function param of type IERC3156FlashBorrower
.
Therefore, the approval vulnerability only applies to an EOA if the lender contracts uses a vanilla address
type, and performs a low-level call to receiver
. But this should not be the case in the vast majority of EIP-3156 implementations.
Do you think that it would be worth it to add a note about this in the standard?