First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

AssetTokens value is increased during a deposit

darksnow

Summary

AssetTokens are issued to liquidity providers as a token of ownership for the assets they deposit. The value of these tokens appreciates with the accumulation of fees paid by users of flash loans.

Vulnerability Details

In this scenario, the value of AssetTokens is erroneously inflated upon deposit. This flaw has been addressed and rectified in the updated contract, ThunderLoanUpgraded.sol. However, the deployment script erroneously references the original ThunderLoan.sol, which contains the bug.

Impact

The valuation of AssetTokens is erroneously inflated, resulting in early redeeming liquidity providers withdrawing a disproportionate amount of assets beyond their equitable share.

Tools Used

Manual review.

Recommendations

Rewrite the deploy script with the upgraded contract.

// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
import { Script } from "forge-std/Script.sol";
import { ThunderLoan } from "../src/upgradedProtocol/ThunderLoanUpgraded.sol";
import { ERC1967Proxy } from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
contract DeployThunderLoan is Script {
function run() public {
vm.startBroadcast();
ThunderLoanUpgraded thunderLoanUpgraded = new ThunderLoanUpgraded();
new ERC1967Proxy(address(thunderLoanUpgraded), "");
vm.stopBroadcast();
}
}
Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

can't redeem because of the update exchange rate

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.