First Flight #3: Thunder Loan

First Flight #3

Beginner FriendlyFoundryDeFiOracle

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

SafeTransferFrom should occur before state updates

codelock

Overview

In this audit report, we will review the deposit function provided. Specifically, we will address the concern regarding the placement of the safeTransferFrom function within the deposit function.

Code Issue
The safeTransferFrom function is placed after several state updates and calculations within the deposit function. This may create a vulnerability to reentrancy attacks, as the tokens should be transferred to the contract before any state updates occur.

Recommendation
To ensure the security of the contract and prevent potential reentrancy attacks, we recommend moving the safeTransferFrom function to the beginning of the deposit function. By doing so, the tokens will be transferred to the contract before any state updates or calculations take place. This ensures that the necessary tokens are available for the subsequent operations and reduces the risk of reentrancy vulnerabilities.

Updated deposit function:

function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {

token.safeTransferFrom(msg.sender, address(this), amount); // Move safeTransferFrom to the beginning of the function

if (s_currentlyFlashLoaning[token]) revert ThunderLoan__ActiveFlashLoan();

AssetToken assetToken = s_tokenToAssetToken[token];

uint256 exchangeRate = assetToken.getExchangeRate();

uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate;

emit Deposit(msg.sender, token, amount);

assetToken.mint(msg.sender, mintAmount);

uint256 calculatedFee = getCalculatedFee(token, amount);

assetToken.updateExchangeRate(calculatedFee);

// Remaining code...

}

Proof of Concept

The updated code snippet above moves the safeTransferFrom function to the beginning of the deposit function, ensuring that the tokens are transferred to the contract before any state updates or calculations occur.

Conclusion

In conclusion, we have reviewed the deposit function and identified the issue with the placement of the safeTransferFrom function. We recommend moving the safeTransferFrom to the beginning of the function to ensure that tokens are transferred to the contract before any state updates occur. This mitigates the risk of reentrancy attacks and ensures the integrity and security of the contract.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Vague generalities

Rewards breakdown

nSLOC

387

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.