Deposit function updating exchange rate will cause a malicious depositors to keep redeeming
Summary
Deposit function updating exchange rate will cause a malicious depositors to keep redeeming with interest rate with or without any flashloan occuring within the period
Vulnerability Details
getCalculatedFee function is for knowing the current fee for user coming to take flashloan in the contract, which means the fee is only for users who flashloaned to know how much fee they will pay based on the borrowed amount, the fee paid is eventually used to update the exchange rate for liquidity provider to earn interest but unfortunately the deposit function called getCalculateFee and updateExchange rate on the amount users deposited which will affect the earnings of all users who deposited into the thunderloan contract negatively.
Impact
liquidity providers lose part or they can lose all of their funds to other liquidity providers with or without flashloan occuring,
it can cause DOS for other liquidity provider to redeem their asset as the contract does not have the expected payout amount for liquidity provider.
Tools Used
manual review, foundry
Recommendations
getCalculateFee and updateExchange rate should be removed from the deposit function as it do not depict the intention of the developer. As stated in the docs that liquidity provider earns interest overtime depending on how much flashloan occurred, which means no user should be able to earn interest within the period of deposit if no flashloan occured
NOTE: IT IS FIXED in the thunderloanUpgraded version, the team should not waste time upgrading the contract as attackers are watching every seconds to attack any honey pot unchain.
Lead Judging Commences
can't redeem because of the update exchange rate
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.