First Flight #3: Thunder Loan

Summary

Detects reentrancies that allow manipulation of the order or value of events.

Vulnerability Details

Location:

Reentrancy in ThunderLoanUpgraded.flashloan(address,IERC20,uint256,bytes) (src/upgradedProtocol/ThunderLoanUpgraded.sol#178-215):
External calls:

• assetToken.updateExchangeRate(fee) (src/upgradedProtocol/ThunderLoanUpgraded.sol#192)
  Event emitted after the call(s):

• FlashLoan(receiverAddress,token,amount,fee,params) (src/upgradedProtocol/ThunderLoanUpgraded.sol#194)

Impact

Oracle Manipulation: The contract relies on an external oracle for price feeds. If the oracle is manipulated, it could affect the contract's functionality and potentially lead to loss of funds.

No Emergency Stop Mechanism: The contract does not have a mechanism to pause operations in case of a detected issue or attack.

Potential Underflow/Overflow Issues: The contract does not use SafeMath for arithmetic operations which could potentially lead to underflow/overflow issues.

Upgradability Risks: The contract uses the UUPS (Universal Upgradeable Proxy Standard) pattern for upgradability. If not properly managed, this could lead to risks such as an attacker gaining control of the proxy admin and changing the implementation contract.

Tools Used

Audit Wizard (Slither)

Recommendations

Apply the check-effects-interactions pattern.