First Flight #3: Thunder Loan

Vulnerability Details

The current ownership structure of the ThunderLoan protocol is based on a single External Owned Account (EOA). Several critical functions, such as setAllowedToken, updateFlashLoanFee, and _authorizeUpgrade, are gated behind the onlyOwner modifier, which means they can only be executed by the owner account. This design creates a central point of failure and presents a significant security risk.

If the owner's private key is compromised (or if the owner becomes malicious), the attacker would gain unrestricted access to these sensitive functions, allowing them to disrupt the protocol's operations, drain funds, or execute arbitrary upgrades. Additionally, if the sole owner loses access to their key, it may become impossible to perform necessary administrative actions, effectively freezing the protocol.

Impact

The reliance on a single owner increases the protocol's vulnerability to attacks or accidents that could result in substantial financial loss for users and damage to the protocol's reputation. This centralization contradicts the decentralized ethos of blockchain and diminishes user trust in the system.

Recommendations

To mitigate these risks, the protocol should consider implementing one of the following strategies:

1. Multi-Signature Wallet: Replace the single owner with a multi-signature wallet requiring multiple confirmations to execute sensitive functions. This distributes trust among several parties and reduces the likelihood of unauthorized access.

2. Decentralized Autonomous Organization (DAO): Transition control of the protocol to a DAO, where governance tokens allow stakeholders to vote on critical decisions, including smart contract upgrades and parameter changes.

3. Role-Based Access Control (RBAC): Implement an RBAC system where different roles with specific permissions are assigned to multiple parties, ensuring no single account has complete control over the protocol.

4. Timelocks and Admin Keys: Introduce a timelock mechanism for critical functions, providing a delay between the initiation of an action and its execution, allowing time for community review and intervention if necessary. Additionally, the admin keys could be held in a secure, multisig contract with vetted signers.

5. Emergency Pause: Implement an emergency pause functionality, allowing a trusted committee or DAO to halt certain protocol functions in the event of a detected breach or vulnerability.

By adopting these measures, ThunderLoan can significantly improve its security posture, reduce the risks associated with a single point of failure, and move towards a more decentralized and resilient infrastructure.