The exchange rate updation inside the ThunderLoan::deposit() function is insignificant and can lead to drainage of funds.
The protocol mentions that liquidity providers can gain interest on their asset tokens on the basis of flash loans, then they should not be provided interest when they deposit because every time they deposit they get some interest and can redeem higher amount even if they redeem just after depositing the funds.
Malicious actors can call the deposit() followed by redeem() function multiple times to gain interest every time they deposit the tokens and redeem just after depositing and get more amount then they deposited. This can be repeated a number of times to gradually drain funds from the protocol and get interest without a User taking flash loans.
Also, liquidity providers will not be able to redeem their amount corresponding to minted Asset Token balance as the attacker drained the funds.
##PoC
Include the below test inside test/unit/ThunderLoanTest.t.sol
To run the test:
forge test --mt test_AttackerCanDrainTokens -vv
forge test --mt test_LiquidityProviderCantRedeem -vv
Drain of funds from the protocol and liquidity providers can't redeem for their Asset Token balance.
Manual Review, Foundry Tests (Forge)
Exchange rate should not be increased when liquidity providers make a deposit. So, modify the ThunderLoan::deposit() function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.