First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Centralization risk given the owner has privileges to upgrade the implementation and modify the fees

ciara

The owner of the ThunderLoan contract can set the allowed tokens, update the flash loan fee, and upgrade the contract implementation. These capabilities could be performed with malicious intent.

Vulnerability details

The ThunderLoan contract inherits from OpenZeppelin's Ownable contract meaning that it has an owner: the address which has permissions to call functions with the onlyOwner modifier. These functions include:

  • ThunderLoan::setAllowedToken:

function setAllowedToken(IERC20 token, bool allowed) external onlyOwner returns (AssetToken) {
if (allowed) {
if (address(s_tokenToAssetToken[token]) != address(0)) {
revert ThunderLoan__AlreadyAllowed();
}
string memory name = string.concat("ThunderLoan ", IERC20Metadata(address(token)).name());
string memory symbol = string.concat("tl", IERC20Metadata(address(token)).symbol());
AssetToken assetToken = new AssetToken(address(this), token, name, symbol);
s_tokenToAssetToken[token] = assetToken;
emit AllowedTokenSet(token, assetToken, allowed);
return assetToken;
} else {
AssetToken assetToken = s_tokenToAssetToken[token];
delete s_tokenToAssetToken[token];
emit AllowedTokenSet(token, assetToken, allowed);
return assetToken;
}
}

  • ThunderLoan::updateFlashLoanFee:

function updateFlashLoanFee(uint256 newFee) external onlyOwner {
if (newFee > s_feePrecision) {
revert ThunderLoan__BadNewFee();
}
s_flashLoanFee = newFee;
}

  • Upgrade the contract implementation via UUPSUpgradeable::updateAndCall which calls ThunderLoan::_authorizeUpgrade:

function _authorizeUpgrade(address newImplementation) internal override onlyOwner { }

This owner is centralized and therefore users have to trust that the owner will not take advantage of these privileges and perform malicious upgrades, inflate the fee price, or add tokens which are a vulnerability risk.

Impact

If the owner address' private key is stolen by an attacker or the owner has malicious intentions, the users of the contract are vulnerable to malicious attacks resulting from the ability of the owner to:

  • Inflate the s_flashLoanFee to an arbitrarily large value. This would inflate the fee to be arbitrarily large meaning that users will have to pay significantly for even small loans.

  • Upgrade the contract implementation to any logic of their choosing. This could include malicious examples such as sending all of the liquidity providers' tokens to themselves by calling ThunderLoan::redeem or ThunderLoan::deposit.

The likelihood of the owner being a malicious actor or their private key being stolen is of medium likelihood but the impact is high. This makes this vulnerability a medium-severity vulnerability.

Recommended mitigation

The possible ways to mitigate this vulnerability are:

  • Use a multisig

  • Use a two-stage upgrade process

  • Prevent upgrades all-together

  • Warn users and clearly document the privileges and the implementation logic so that users are aware of the risks.

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Admin Input/call validation
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

centralized owners can brick redemptions by unallowing a token

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.