Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Storage Collision in Upgrade Causes Flash Loan Fee Miscalculation

nugen

[H-1] Storage Collision in Upgrade Causes Flash Loan Fee Miscalculation

Description

The ThunderLoan protocol is designed to be upgradeable using the UUPS pattern. The original ThunderLoan contract stores s_feePrecision as a storage variable, while the upgraded ThunderLoanUpgraded contract removes this variable and converts FEE_PRECISION to a constant.

In upgradeable contracts, storage layout must be preserved across upgrades. When upgrading from ThunderLoan to ThunderLoanUpgraded, the storage slots become misaligned because s_feePrecision is removed.

// ThunderLoan.sol (Original)

mapping(IERC20 => AssetToken) public s_tokenToAssetToken; // Slot 0

// @> uint256 private s_feePrecision; // Slot 1

// @> uint256 private s_flashLoanFee; // Slot 2

mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning; // Slot 3

// ThunderLoanUpgraded.sol (Upgraded)

mapping(IERC20 => AssetToken) public s_tokenToAssetToken; // Slot 0

// @> uint256 private s_flashLoanFee; // Slot 1 (reads old s_feePrecision value!)

// @> uint256 public constant FEE_PRECISION = 1e18; // Not in storage

mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning; // Slot 2

After upgrade, s_flashLoanFee in the new contract reads from slot 1, which contains the old s_feePrecision value (1e18 = 1000000000000000000). The intended fee is 3e15 (0.3%), but after upgrade it becomes 1e18 (100%).

Risk

Likelihood:

The upgrade from ThunderLoan to ThunderLoanUpgraded will occur when the owner decides to upgrade the implementation
Storage collision happens automatically upon upgrade, requiring no attacker action
The issue is deterministic and affects all flash loans after upgrade

Impact:

Flash loan fees become 333x higher than intended (1e18 instead of 3e15), making the protocol completely unusable
All flash loan borrowers are massively overcharged, effectively preventing any legitimate flash loan usage
Liquidity providers receive excessive fees in the short term, but protocol becomes non-competitive and users migrate away
Protocol reputation is destroyed and total value locked (TVL) drops to zero

Proof of Concept

The following test demonstrates the storage collision:

contract StorageCollisionTest is Test {

ThunderLoan thunderLoanImplementation;

ThunderLoanUpgraded thunderLoanUpgradedImplementation;

ERC1967Proxy proxy;

function testUpgradeBreaksFees() public {

// Deploy original implementation

thunderLoanImplementation = new ThunderLoan();

// Deploy proxy pointing to original

proxy = new ERC1967Proxy(

address(thunderLoanImplementation),

abi.encodeWithSignature("initialize(address)", tswapAddress)

);

ThunderLoan thunderLoan = ThunderLoan(address(proxy));

// Before upgrade: fee is 3e15 (0.3%)

assertEq(thunderLoan.getFee(), 3e15);

// Deploy upgraded implementation

thunderLoanUpgradedImplementation = new ThunderLoanUpgraded();

// Upgrade to new implementation

thunderLoan.upgradeToAndCall(

address(thunderLoanUpgradedImplementation),

);

ThunderLoanUpgraded upgraded = ThunderLoanUpgraded(address(proxy));

// After upgrade: fee is now 1e18 (100%) - reads old s_feePrecision!

assertEq(upgraded.getFee(), 1e18);

// Expected: 3e15, Actual: 1e18

}

Recommended Mitigation

Never remove or reorder storage variables in upgradeable contracts. Preserve the storage layout by keeping s_feePrecision as a storage variable even if unused.

contract ThunderLoanUpgraded is Initializable, OwnableUpgradeable, UUPSUpgradeable, OracleUpgradeable {

mapping(IERC20 => AssetToken) public s_tokenToAssetToken;

- uint256 private s_flashLoanFee;

- uint256 public constant FEE_PRECISION = 1e18;

+ uint256 private s_feePrecision; // Keep for storage layout compatibility

+ uint256 private s_flashLoanFee;

mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;

// Use s_feePrecision instead of constant

function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) {

- uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / FEE_PRECISION;

- fee = (valueOfBorrowedToken * s_flashLoanFee) / FEE_PRECISION;

+ uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / s_feePrecision;

+ fee = (valueOfBorrowedToken * s_flashLoanFee) / s_feePrecision;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 11 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!