The ThunderLoan Protocol's flashloan
function miscalculates fees for tokens with non-standard decimal units, such as USDC and USDT, which have 6 decimals. This issue arises from the getCalculatedFee
function, which incorrectly applies a precision factor intended for tokens with 18 decimals, resulting in an inflated fee by a factor of 1e12 for tokens with fewer decimals.
In the getCalculatedFee
function, the calculation (amount * getPriceInWeth(address(token))) / s_feePrecision
assumes amount
is in wei (1e18 decimals). However, for tokens like USDC and USDT with only 6 decimals, this results in a fee calculation that is vastly inflated. The second line, (valueOfBorrowedToken * s_flashLoanFee) / s_feePrecision
, compounds this error by applying the precision factor again.
The inflated fees due to incorrect decimal handling can result in users being significantly overcharged for flash loans, reducing the competitiveness and reliability of the ThunderLoan Protocol and potentially causing financial loss and damage to user trust.
Add thetest below to the ThunderLoanTest.t.sol
:
output:
We can see that the test failed because of the wrongly calculated fee.
Manual Review
Foundry
To fix this vulnerability:
Modify the getCalculatedFee
function to account for the token's actual decimal places by incorporating the decimals()
function of the ERC20 token interface.
Create a utility function or modifier to handle the conversion of decimal places accurately within the smart contract.
Establish comprehensive testing for various tokens with different decimal places to ensure fee calculations are accurate across all scenarios.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.