First Flight #3: Thunder Loan

Summary

The updateExchangeRate function in the AssetToken contract allows the exchange rate to increase without any cap. This means that if there's a significant increase in the total supply (e.g., due to a flash loan attack), it could lead to an excessive and uncontrolled increase in the exchange rate. To enhance security and prevent potential vulnerabilities related to exchange rate manipulation, it is recommended to add a cap to limit the rate increase.

Vulnerability Details

The updateExchangeRate function calculates a new exchange rate based on the total supply and the fee. However, it does not have a cap to limit the maximum increase in the exchange rate. This can be problematic in situations where the total supply experiences a significant increase, such as when a flash loan attack is executed. In such cases, the new exchange rate may become unreasonably high, potentially leading to financial instability.

How the exchange rate can increase without a cap:

If the fee is significantly large compared to the total supply, the new exchange rate will also be significantly larger, which could be exploited by an attacker.

Impact

The impact of an uncapped exchange rate increase is that it can lead to excessive inflation in the value of the AssetToken without any control. This could be exploited by malicious actors in flash loan attacks or other manipulative actions, potentially causing financial losses and instability.

Tools Used

Manual

Recommendations

Mitigating the risk of an uncontrolled increase in the exchange rate, it is advisable to add a cap to limit the maximum rate increase.
By adding a cap (MAX_RATE_INCREASE in this example), you ensure that the exchange rate increase is limited to a reasonable value, reducing the risk of excessive inflation due to unexpected changes in the total supply. The specific cap value can be adjusted to match the desired level of control and security.