Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Submission Details
Severity: high
Invalid

Attacker can steal funds by taking a flash loan

Summary

Attacker can steal funds by taking a flash loan.

Vulnerability Details

Let's describe the vulnerability in the following scenario (note: Attacker = A malicious contract deployed by the attacker):

  • Alice calls deposit and wants to deposit x amount of token A.

  • Attacker is tracing the mempool and see the Alice transaction.

  • Attacker calls flashloan with higher gas price (front-running the alice transaction) and borrows y amount of token A (y is less than x, for example if alice is depositing 1000 number of token A, attacker borrows 900)

  • The attacker transaction will be executed first (due to higher gas price)

  • flashloan function transfers the tokens to attacker contract and triggers the function executeOperation in attacker contract:

receiverAddress.functionCall(
abi.encodeWithSignature(
"executeOperation(address,uint256,uint256,address,bytes)",
address(token),
amount,
fee,
msg.sender,
params
)
);
  • Inside the executeOperation attacker has implmented a code that just keeps the transaction suspended for 1 minute (or more if needed) to make sure the alice transaction (deposit transaction) is executed (for example, a loop which checks 1 minute is passed)

  • After 1 minute, executeOperation is finish and the attacker transaction will go back to flashloan at this line:

uint256 endingBalance = token.balanceOf(address(assetToken));
if (endingBalance < startingBalance + fee) {
revert ThunderLoan__NotPaidBack(startingBalance + fee, endingBalance);
}
  • According to that the alice transaction is executed during this 1 minute, so the balance of contract is increased by alice deposits, so the transaction of attacker will be successfully finished without the need for attacker to pays-back.

Impact

Loss of funds.

Tools Used

Manual Review

Recommendations

Add this line to deposit function:

if (s_currentlyFlashLoaning[token]) {
revert TryAgainLater();
}

The above line means: No one should be able to deposit token A, while token A is borrowed by a flashloan borrower.

Updates

Lead Judging Commences

patrickalphac Auditor
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other
ubl4nk Submitter
over 1 year ago

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.