asseTokens Exchange rate can be artifically increased through deposits
Summary
The Deposit function in the original thunderloan contract increases the exchange rate of the assetTokens.
Vulnerability Details
The deposit function calculates a fee and updates the assetTokens exchange rate. This should ONLY happen when a flash loan is taken out, not simply when a user deposits funds.
Impact
A User can use this to artifically raise the value of their exchange tokens by depositing large amounts of the underlying token, in effect simulating the interest accuring effect of users taking out flash loans, without paying the associated fee.
If users were to then redeem their assetTokens for the underlying tokens they would recieve more tokens than they should.
Results in the leakage of the protocols funds.
Can also result in the loss of users funds as because the exchange rate is artifically inflated, the amount of underlying tokens that can be redeemed will always be greater than the amount of deposited tokens. Ie if all users went to redeem their assetTokens, the pool would run out of the underlying token to redeem to users, leaving some unable to redeem.
Due to this have marked as a high risk finding.
Tools Used
Recommendations
The upgraded thunderloan contract fixes this by removing the getCalculatedFee() and updateExchangeRate() calls in the deposit function.
Lead Judging Commences
can't redeem because of the update exchange rate
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.