Authors
Treasury League and Dev League
Summary
This proposal disables the flashLoan functionality from Idle Protocol.
Rationale
Idle Leagues were notified regarding a potential vulnerability that was affecting partners’ integration with Idle Protocol.
The vulnerability was discovered and mitigated within 1 hour. All funds are safe and no action is required by partners or users. Deposits in Idle protocol have always been safe.
To dampen any possible malicious outcome on the partners’ side, Leagues activated the Pause Guardian procedure. The deposit and rebalance functions have been temporarily paused on Ethereum, while redeem is still available. This IIP does not involve Polygon strategies, which have been already updated.
IIP-17 will finalize the issue removal by changing the flashLoan method in a no-op, effectively disabling this functionality. After the on-chain execution of IIP-17, the protocol can be unpaused and deposit and rebalance functions activated again.
A more in-depth analysis will be made in the future on a possible fix that would allow flash loans to be offered in the Idle protocol without creating similar issues. A detailed description of the potential partners’ vulnerability is available in this report.
Specifications
The new implementation is available here.
The code for the IIP is here.
With one action still available in IIP-17, Dev League proposes to also include a minor update related to idleFEI Best-Yield (proxyAdmin update). This update is not related to the potential vulnerability fix described above.
Actions:
- IdleToken update: 9 actions
- idleFEI Best-Yield proxyAdmin update: 1 action
Next Step
We are going to leave this thread open for comments regarding these changes, and in about 24hrs, if there are no objections, we will proceed with the on-chain proposal and the voting phase.
Cast your on-chain $IDLE vote here: 
End date: Nov 23th