98a79505e1
It looks like it wasn't possible to exploit the program by re-initializing the user-owned token accounts used in flash loan because the later use of health_ais with the health computation would error out if any token account was included there. However, the check and a few others were too indirect. In this patch: - We pass the number of loans into FlashLoanEnd explicitly (verified from FlashLoanBegin) - Add explicit checks for token mints, so it's no longer possible to use token accounts for foreign mints in Begin when the loan amount is zero, and it's clearer to see that the bookkeeping in End won't break if the user reinited the account for a different mint. - Also add a few other extra comments and checks. The updated FlashLoanEnd instruction is called FlashLoanEndV2 |
||
|---|---|---|
| .. | ||
| checked_math | ||
| client | ||