First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Reentrancy Benign (Upgraded)

DuncanDuMond

Summary

Detection of the reentrancy bug. Only report reentrancy that acts as a double call (see reentrancy-eth, reentrancy-no-eth).

Vulnerability Details

Location:

Reentrancy in ThunderLoanUpgraded.flashloan(address,IERC20,uint256,bytes) (src/upgradedProtocol/ThunderLoanUpgraded.sol#178-215):
External calls:

  • assetToken.updateExchangeRate(fee) (src/upgradedProtocol/ThunderLoanUpgraded.sol#192)

  • assetToken.transferUnderlyingTo(receiverAddress,amount) (src/upgradedProtocol/ThunderLoanUpgraded.sol#197)

  • receiverAddress.functionCall(abi.encodeWithSignature(executeOperation(address,uint256,uint256,address,bytes),address(token),amount,fee,msg.sender,params)) (src/upgradedProtocol/ThunderLoanUpgraded.sol#199-208)
    State variables written after the call(s):

  • s_currentlyFlashLoaning[token] = false (src/upgradedProtocol/ThunderLoanUpgraded.sol#214)

Impact

Upgradability Risks: The contract uses the UUPS (Universal Upgradeable Proxy Standard) pattern for upgradability. If not properly managed, this could lead to risks such as an attacker gaining control of the proxy admin and changing the implementation contract.
Error Handling: The contract uses custom error handling which might not be as descriptive or helpful in debugging issues.

Tools Used

Audit Wizard (Slither)

Recommendations

Apply the check-effects-interactions pattern.

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Vague generalities

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.