First Flight #3: Thunder Loan

First Flight #3

Beginner FriendlyFoundryDeFiOracle

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Flawed Exchange Rate Update Leads to Inequitable Redemption Value

nisedo

Vulnerability Details

The ThunderLoan protocol's deposit function includes a call to updateExchangeRate within the AssetToken.sol contract which inadvertently affects the redemption value of the liquidity provider's (LP's) tokens. The updateExchangeRate function recalculates the exchange rate of the asset token, with the intention of distributing fees across token holders by increasing the exchange rate proportionally.

However, when a deposit is made, the exchange rate is updated before the LP can redeem, meaning they cannot redeem their tokens on a 1:1 basis immediately after depositing, as they should be able to. The update to the exchange rate effectively dilutes the value of the tokens just minted for the depositor due to the fee calculation and distribution.

The deposit function in ThunderLoan.sol and ThunderLoanUpgraded.sol are as follow:

File: ThunderLoan.sol

function deposit(IERC20 token, uint256 amount) external {

// ...existing code...

assetToken.mint(msg.sender, mintAmount);

uint256 calculatedFee = getCalculatedFee(token, amount);

assetToken.updateExchangeRate(calculatedFee);

// ...existing code...

}

The associated updateExchangeRate function in AssetToken.sol updates the exchange rate based on the fee:

AssetToken.sol

function updateExchangeRate(uint256 fee) external {

// ...existing code...

uint256 newExchangeRate = s_exchangeRate * (totalSupply() + fee) / totalSupply();

// ...existing code...

}

Impact

This flaw can lead to an immediate loss of value for LPs depositing their tokens, as the tokens they receive will be worth less than the deposited amount if they were to redeem them instantly. This undermines the confidence in the fairness of the protocol and can deter potential liquidity providers from participating.

Recommendations

To rectify this issue, the protocol should ensure that the exchange rate is updated in a way that does not affect the LPs who have just deposited. One approach would be to delay the fee distribution until after a certain period or until the next deposit or withdrawal occurs from another user, thus separating the exchange rate update from the individual deposit transaction.

Alternatively, the protocol can adjust the minted amount to account for the upcoming exchange rate change, so that the LPs receive an amount of tokens that will still hold the same value after the exchange rate is updated.

Here's a suggested code modification to adjust the minted amount:

File: ThunderLoan.sol

function deposit(IERC20 token, uint256 amount) external {

// ...existing code...

uint256 calculatedFee = getCalculatedFee(token, amount);

uint256 adjustedMintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / (exchangeRate + calculatedFee);

assetToken.mint(msg.sender, adjustedMintAmount);

assetToken.updateExchangeRate(calculatedFee);

// ...existing code...

}

This change calculates the mint amount by anticipating the new exchange rate post-update, thereby preserving the 1:1 value for immediate redemption.

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

can't redeem because of the update exchange rate

Rewards breakdown

nSLOC

387

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.