Summary

The provided flash loan function implementation deviates from the EIP 3156 standard for flash loans in Ethereum. This non-conformance introduces potential risks and vulnerabilities within the smart contract's flash loan mechanism.

Vulnerability Details

Some of the critical vulnerabilities that it creates:

• The function flashloan does not check if a specific token is allowed for flashloan

• Does not check that the transfer has succeeded

• Does not execute a transferFrom from borrower's funds for token repayment.

Other critical vulnerabilities :

• Does not send funds to a trusted borrower that implements the IERC3156FlashBorrower. Instead calls the borrower's executeOperation function. This call can be malicious and can create a reentrancy, like caling other functions like redeem/repay.

• Does not execute the onFlashLoan function necessary for validation.

Impact

Critical, funds are at risk. Susceptible to flash loan attacks/ reentrancy/read-only attacks. The non-compliance with EIP 3156 may result in integration difficulties with other contracts expecting a standard interface.

Tools Used

Manual review

Recommendations

Refactor the whole contracts (ThunderLoan/ThunderLoanUpgraded) to comply with the EIP 3156 standard.