First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Disallowed Tokens Will Get Locked In The Protocol

r0ck3tz

Summary

The protocol allows users to redeem deposited tokens through redeem function. The function ensures that the token is allowed through the entry in s_tokenToAssetToken mapping. In case there is no entry in the mapping function reverts. This leads to the scenario where in case the owner of ThunderLoan contract removes the token from the mapping it will be impossible to withdraw tokens by the users.

Vulnerability Details

  1. Owner adds WETH token to allowed through setAllowedToken

  2. Users deposits funds and earn interest

  3. Owner removes WETH token from allowed through setAllowedToken

  4. Users cannot withdraw their funds

Impact

Users that deposited tokens to the protocol loose access to their funds.

Tools Used

Manual Review

Recommendations

It is recommended to allow users to withdraw funds from the protocol even when the token was disallowed.

Updates

Lead Judging Commences

0xnevi Lead Judge
about 2 years ago
0xnevi Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Admin Input/call validation
0xnevi Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

centralized owners can brick redemptions by unallowing a token

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.