First Flight #3: Thunder Loan

First Flight #3

Beginner FriendlyFoundryDeFiOracle

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Removing an assetToken using `ThunderLoan::setAllowedToken` freezes user funds

wafflemakr

Summary

If the owner calls ThunderLoan::setAllowedToken to remove an assetToken, users that have deposits on that asset token won't be able to redeem funds.

Vulnerability Details

ThunderLoan::setAllowedToken is a restricted owner function, used to add or remove AssetTokens. Users are only able to deposit to an assetToken after the owner calls this function to allow them, and add it to the ThunderLoan::s_tokenToAssetToken mapping.

If the owner calls ThunderLoan::setAllowedToken with allowed function param set to false, this will delete the mapping, without validating if there are any deposits on the contract. Users trying to ThunderLoan::redeem their tokens from the protocol will get a revert error ThunderLoan__NotAllowedToken as the token no longer exists on the mapping.

Even if the owner tries to add the token back, using ThunderLoan::setAllowedToken, the contract will deploy a new AssetToken for that token address.

Impact

High - freeze of user funds, as users won't be able to redeem. The owner can still make an upgrade to the smart contract to create a new function that allows users withdraw frozen funds, but if the owner is not available,does not want to upgrade, or loses access to owner wallet, funds will be lost forever.

Proof of Concept

function testSetAllowedTokenFreezesFunds() public {

// Before

AssetToken assetToken = thunderLoan.setAllowedToken(weth, true);

_deposit(address(weth), ALICE, DEPOSIT_AMOUNT);

_deposit(address(weth), BOB, DEPOSIT_AMOUNT);

// When

thunderLoan.setAllowedToken(weth, false);

// Checks

vm.startPrank(ALICE);

thunderLoan.redeem(IERC20(weth), assetToken.balanceOf(ALICE));

vm.stopPrank();

}

Running the test will output:

forge test --mt testSetAllowedTokenFreezesFunds -v

[⠒] Compiling...

No files changed, compilation skipped

Running 1 test for test/unit/AuditTest.t.sol:AuditTest

[FAIL. Reason: ThunderLoan__NotAllowedToken(0xF62849F9A0B5Bf2913b396098F7c7019b51A820a)] testSetAllowedTokenFreezesFunds() (gas: 1570703)

Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 2.21ms

Ran 1 test suites: 0 tests passed, 1 failed, 0 skipped (1 total tests)

Failing tests:

Encountered 1 failing test in test/unit/AuditTest.t.sol:AuditTest

[FAIL. Reason: ThunderLoan__NotAllowedToken(0xF62849F9A0B5Bf2913b396098F7c7019b51A820a)] testSetAllowedTokenFreezesFunds() (gas: 1570703)

Tools Used

Foundry
Manual Review

Recommendations

Validate if the AssetToken contract has funds before deleting it from the ThunderLoan::s_tokenToAssetToken mapping.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Admin Input/call validation

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

centralized owners can brick redemptions by unallowing a token

Rewards breakdown

nSLOC

387

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.