First Flight #3: Thunder Loan

First Flight #3

Beginner FriendlyFoundryDeFiOracle

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

receiverAddress.isContract is not foolproof, allowing an EOA to misuse the flash loan feature

0xtheblackpanther

Summary

The issue is that the flashloan function can be exploited to be called by externally owned addresses (EOAs) when it should only be accessible to smart contracts.

Vulnerability Details

The vulnerability details involve the potential for external addresses (EOAs) to bypass the contract-only restriction and exploit the flashloan function.

Impact

External addresses (EOAs) can initiate flash loans, which should only be available to contracts, potentially leading to misuse of the flash loan functionality and destabilization of the system.

POC

This test successfully passes by utilizing an external owner address (EOA) to call the flash loan function, despite the intended restriction that only contracts should have access to it.

function testExploitFlashLoan() public {

// Simulate an EOA address

address externalOwner = address(0x73de83588F8D99d8043143b29BCD015A61433A29);

// Attempt to call flashloan from the EOA address

(bool success, ) = externalOwner.call(

abi.encodeWithSignature(

"flashloan(address,address,uint256,bytes)",

address(thunderLoan),

100, // amount

"Exploit"

)

);

// Check if the call was successful

assertEq(success, true);

}

Tools Used

Foundry
Manual review

Recommendations

To address this vulnerability, ensure that only contract addresses are allowed to initiate flash loans by improving the check for receiverAddress.isContract() to be more robust and prevent EOA bypasses.

-if (!receiverAddress.isContract()) { revert ThunderLoan__CallerIsNotContract(); }

+require(receiverAddress.isContract(), "Caller must be a contract");

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

0xtheblackpanther Submitter

almost 2 years ago

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

387

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.