First Flight #3: Thunder Loan

First Flight #3

Beginner FriendlyFoundryDeFiOracle

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

State Variable Storage Collision Leads to Incorrect Fee Management and Potential Loss of Funds

Osora9

Summary

The smart contract suffers from a critical state variable storage collision issue where the order of the state variables s_feePrecision and s_flashLoanFee has been switched inadvertently in an upgrade. This misalignment in storage slots leads to critical vulnerabilities, allowing the potential mishandling of fee calculations and the disruption of contract functionality.

Vulnerability Details

State variables in Ethereum smart contracts are stored contiguously in storage slots. In upgradeable contracts, the storage layout must remain consistent across versions. If the order of state variables changes during an upgrade, the values previously stored in those slots can be misinterpreted, leading to incorrect behavior and potential vulnerabilities.

In this specific contract, the s_feePrecision was intended to define the precision for fee calculations, while s_flashLoanFee was used to track the fee for flash loans. After the upgrade, their storage slots were swapped, leading to the following problems:

Fee Calculation Errors: The values intended for precision control are now mistakenly used in fee calculations.
Misleading Fee Handling: The fees for flash loans could be inaccurately calculated, causing economic damage to the contract's users or the owner.
Incorrect State Assumptions: Logic that relied on the correct state could revert or behave unexpectedly.

Impact

The impact of this vulnerability is significant. It can lead to the following scenarios:

Incorrect fee calculations for flash loans, which could result in financial losses for either the contract's users or the contract owner.
Disruption of contract operations due to incorrect assumptions about the state.
Loss of trust in the contract's functionality from its users.

Tools Used

Foundry

Recommendations

To address this issue, the state variables should be reverted to their original order within the next contract upgrade. This realignment will prevent the incorrect interpretation of stored values, ensuring that fee calculations and contract logic operate as intended.

- uint256 private s_flashLoanFee; // 0.3% ETH fee

- uint256 public constant FEE_PRECISION = 1e18;

+ uint256 public constant FEE_PRECISION = 1e18;

+ uint256 private s_flashLoanFee;

Updates

Lead Judging Commences

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

storage collision on upgrade

Rewards breakdown

nSLOC

387

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.