First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

ThunderLoan.sol#deposit() - Attacker can mint tokens without depositing

0xfave

Summary

deposit() requires the user to transfer an amount of the underlying asset to get shares but in the implementation, the mint() comes before the transfer which can cause the user/attacker to mint shares with zero assets in their wallet. which he can then call redeem() and claim some free assets for himself.

Vulnerability Details

An attacker can mint new shares for free without any collateral by calling the deposit() without the underlying token in his wallet since the function mints the assetToken before the deposit is made.

Impact

Loss of funds as the attacker has free assetTokens to redeem after the next depositors

Tools Used

Manual Review

Recommendations

make the deposit before the token is minted

function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {
AssetToken assetToken = s_tokenToAssetToken[token];
uint256 exchangeRate = assetToken.getExchangeRate();
uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate;
emit Deposit(msg.sender, token, amount);
-- assetToken.mint(msg.sender, mintAmount);
uint256 calculatedFee = getCalculatedFee(token, amount);
assetToken.updateExchangeRate(calculatedFee);
-- token.safeTransferFrom(msg.sender, address(assetToken), amount);
++ assetToken.mint(msg.sender, mintAmount);
}
Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.