Unprotected Deposits
Summary
There is no check to stop a malicious contract from manipulating the balance of the asset token by calling the deposit function during a flash loan.
Vulnerability Details
The deposit function is not checking if it is being called by the receiverAddress from the flashloan function. An attacker could drain funds by borrowing an amount of token via the flashloan function and then using the receiverAddress.functionCall to trigger the deposit function which would alter the state of the balance for the token during the same transaction without repaying it. The endingBalance check at the end of the flashloan function would pass and then the malicious contract would be able to redeem the tokens it deposited
Impact
All of the funds deposited in the ThunderLoan contract could be drained.
Tools Used
Recommendations
Add a state variable to keep track of addresses that are currently in the middle of a flash loan operation
Add a modifier that checks if the
msg.senderis one of the addresses currently in the middle of a flash loan transactionApply the modifier to the
depositfunction so that thereceiverAddresscannot call the deposit function to steal funds
Lead Judging Commences
flash loan funds stolen by a deposit
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.