Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Submission Details
Severity: high
Invalid

FlashLoan Reentrancy V1

Summary

Attacker can do a reentrancy attack using the above function and taking several loans and repaying it as 1.

Vulnerability Details

Actors:

  • Attacker: the malicious user.

  • Victim: other users, LPs, ThunderLoan.

  • Protocol: The ThunderLoan contract itself.

Exploit Scenario:

  • Initial State: The protocol is deployed

  • Step 1: the attacker decides to take a flash Loan using a malicious contract that calls the flashLoan() function.

  • Step 2: the protocol makes the error of making an external call to the attacker's malicious contract that contains a receive() that will call back flashLoan() with the same amount, that will decrease the startingBalance.

  • Step 3: The attacker gets away by repaying what he's owed for his last flashLoan request.

Impact

Attacker can take several loans and repay them as 1, draining a lot of funds from the contract

Tools Used

Manual review

Recommendations

https://github.com/0xjarix/Audits/edit/main/CodeHawks/FirstFlights/ThunderLoan-security-review.md#recommendation-2

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Vague generalities

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.