Treasury League and Dev League
This proposal disables the
flashLoan functionality from Idle Protocol.
Idle Leagues were notified regarding a potential vulnerability that was affecting partners’ integration with Idle Protocol.
The vulnerability was discovered and mitigated within 1 hour. All funds are safe and no action is required by partners or users. Deposits in Idle protocol have always been safe.
To dampen any possible malicious outcome on the partners’ side, Leagues activated the Pause Guardian procedure. The
rebalance functions have been temporarily paused on Ethereum, while
redeem is still available. This IIP does not involve Polygon strategies, which have been already updated.
IIP-17 will finalize the issue removal by changing the
flashLoan method in a no-op, effectively disabling this functionality. After the on-chain execution of IIP-17, the protocol can be unpaused and
rebalance functions activated again.
A more in-depth analysis will be made in the future on a possible fix that would allow flash loans to be offered in the Idle protocol without creating similar issues. A detailed description of the potential partners’ vulnerability is available in this report.
The new implementation is available here.
The code for the IIP is here.
With one action still available in IIP-17, Dev League proposes to also include a minor update related to idleFEI Best-Yield (proxyAdmin update). This update is not related to the potential vulnerability fix described above.
- IdleToken update: 9 actions
- idleFEI Best-Yield proxyAdmin update: 1 action
We are going to leave this thread open for comments regarding these changes, and in about 24hrs, if there are no objections, we will proceed with the on-chain proposal and the voting phase.