First Flight #3: Thunder Loan

First Flight #3

Beginner FriendlyFoundryDeFiOracle

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

[H-3] No input validation 'tswapAddress'

Dutch

Summary

In ThunderLoan.sol:70, the initialize function does not perform any input validation on the tswapAddress parameter before passing it to the __Oracle_init function. This could lead to unintended behavior if an invalid address is passed.

Vulnerability Details

Vulnerable function:

function initialize(address tswapAddress) external initializer {

// @audit-issue [H-3] No input validation for 'tswapAddress'

__Ownable_init();

__UUPSUpgradeable_init();

__Oracle_init(tswapAddress); // tswapaddress = poolfactory address

s_feePrecision = 1e18;

s_flashLoanFee = 3e15; // 0.3% ETH fee

}

Impact

The absence of input validation for the tswapAddress parameter can lead to several critical issues, including:

Acceptance of invalid addresses that are not pool factory contracts, which can cause the contract's pricing mechanism to fail.
Potential for attacks if a malicious contract is used in place of the expected pool factory, leading to manipulation of price feeds and theft of funds.

Tools Used

Manual Review
Vs Code

Recommendations

Validate that the tswapAddress is not a 0 address and is a contract.

Possible fix:

function initialize(address tswapAddress, uint256 feePrecision) external initializer {

require(tswapAddress != address(0), "ThunderLoan: tswapAddress is the zero address");

require(isContract(tswapAddress), "ThunderLoan: tswapAddress is not a contract address");

// Initialization code here

__Ownable_init();

__UUPSUpgradeable_init();

__Oracle_init(tswapAddress); // tswapaddress = poolfactory address

// Set fee precision based on input

s_feePrecision = feePrecision; // This value can be derived based on the token's decimals

s_flashLoanFee = calculateFee(s_feePrecision); // Fee calculation based on precision

}

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Zero address checks

Rewards breakdown

nSLOC

387

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.