First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

ReadOnly Reentrancy

DuncanDuMond

Summary

Vulnerability Details

Location: Potential vulnerable to readonly-reentrancy function (if read in other function) ThunderLoan.isCurrentlyFlashLoaning(IERC20) (src/protocol/ThunderLoan.sol#268-270):
State variables read that were written after the external call(s):

  • ThunderLoan.s_currentlyFlashLoaning (src/protocol/ThunderLoan.sol#99) was read at s_currentlyFlashLoaning[token] (src/protocol/ThunderLoan.sol#269)
    This variable was written at (after external call):

  • s_currentlyFlashLoaning[token] = true (src/protocol/ThunderLoan.sol#198)

  • s_currentlyFlashLoaning[token] = false (src/protocol/ThunderLoan.sol#216)

Impact

The flashloan function is vulnerable to reentrancy attacks. Although the contract tries to mitigate this by using the s_currentlyFlashLoaning mapping, it's not a foolproof solution.

The contract uses the functionCall method which can potentially lead to reentrancy attacks. However, the contract has a state variable s_currentlyFlashLoaning that prevents reentrancy in the flashloan function.

Oracle Manipulation: The contract relies on an external oracle for price feeds. If the oracle is manipulated or compromised, it could impact the contract's functionality.

Tools Used

Audit Wizard (Slither)

Recommendations

Check original reentrancy

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Vague generalities

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.