First Flight #3: Thunder Loan

First Flight #3

Beginner FriendlyFoundryDeFiOracle

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

ThunderLoanUpgraded will have no access to updateExchangeRate, will not be able to perform flashloans

0xtheblackpanther

Summary

If the ThunderLoan contract is upgraded to ThunderLoanUpgraded in the future, the updateExchangeRate function will not be accessible to the upgraded contract. This is because the updateExchangeRate function has an onlyThunderLoan modifier, which permits access exclusively to the ThunderLoan contract and does not extend to its upgraded counterpart, ThunderLoanUpgraded."

Vulnerability Details

The vulnerability in the contract lies in its upgradeability mechanism. Specifically, if the ThunderLoan contract is upgraded to ThunderLoanUpgraded in the future, the updateExchangeRate function within the AssetToken contract will no longer be accessible to the upgraded contract. The primary reason for this is the presence of the onlyThunderLoan modifier, which restricts access to the ThunderLoan contract exclusively & does not include the upgraded version, ThunderLoanUpgraded.

Impact

The inability of the ThunderLoanUpgraded contract to access the updateExchangeRate function may lead to loss of key functionality, including the ability to enable users to perform flash loans, resulting in a significant impact on the platform's operation.

Tools Used

Foundry and manual review

Recommendations

To address the issue, you should:

Modify the onlyThunderLoan modifier to include ThunderLoanUpgraded for access to the updateExchangeRate function.
Implement a proxy pattern for consistent functionality across both contracts.
Ensure backward compatibility to avoid disrupting existing features.
Rigorously test the modified contracts for security.
Provide clear upgrade documentation for users.

Change onlyThunderLoan code to the below to include ThunderLoanUpgraded for access to the updateExchangeRate function.

modifier onlyThunderLoan() {

if (msg.sender != i_thunderLoan || msg.sender != address(thunderLoanUpgraded)) {

revert AssetToken__onlyThunderLoan();

}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

387

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.