Question on flashloan contract implementations

is there a reason why most protocols use balance checks instead of a push pull method?

e.g what protocols typically do

uint balanceBefore = IERC20(token).balanceOf(address(this));
caller.executeOperation(..., params);
uint balanceAfter = IERC20(token).balanceOf(address(this));
require(balanceAfter == balanceBefore + fee);

Instead of

IERC20(token).transfer(caller, amount);
caller.executeOperation(..., params);
IERC20(token).transferFrom(caller, address(this), amount+fee);

is there a vulnerability on the 2nd method that i'm missing?

Regardless of vulnerabilities, your alternative code consists of at least 3 problems:

  1. It assumes that no additional fee is applied inside the functions of the token contract itself
  2. It costs more gas, because it relies on approve + transferFrom instead of transfer
  3. It is incompatible with ETH

With regards to vulnerabilities, I suppose that making it compatible with ETH might inflict some.

1 Like