Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Storage Layout Mismatch Between Original and Upgraded Contracts

muzammilmohammed678

Root + Impact

Description

  • The original `ThunderLoan` contract uses `uint256 private s_feePrecision;` as a storage variable, while the upgraded `ThunderLoanUpgraded` contract uses `uint256 public constant FEE_PRECISION = 1e18;` as a compile-time constant. This creates a storage layout mismatch that could cause issues during the upgrade process, potentially corrupting storage slots.


    The storage layout differs between contracts:

    **ThunderLoan.sol:**

    ```solidity

    // The fee in WEI, it should have 18 decimals. Each flash loan takes a flat fee of the token price.

    uint256 private s_feePrecision; // @> Storage variable

    uint256 private s_flashLoanFee; // 0.3% ETH fee

    ```

    **ThunderLoanUpgraded.sol:**

    ```solidity

    // The fee in WEI, it should have 18 decimals. Each flash loan takes a flat fee of the token price.

    uint256 private s_flashLoanFee; // 0.3% ETH fee

    uint256 public constant FEE_PRECISION = 1e18; // @> Compile-time constant, not in storage

    ```

    When upgrading from `ThunderLoan` to `ThunderLoanUpgraded`, the storage slot that previously held `s_feePrecision` will now be interpreted differently, potentially causing:

    1. The value in that storage slot to be read as part of another variable

    2. Storage corruption if the upgrade doesn't account for this change

    3. Incorrect behavior if any code tries to read the old `s_feePrecision` storage slot

Risk

Likelihood:

  • * This occurs during the upgrade process from `ThunderLoan` to `ThunderLoanUpgraded`

    * Since `s_feePrecision` is only set in `initialize()` and never changed, the risk is lower, but the storage layout mismatch is still a concern

    * If any external contracts or interfaces expect `s_feePrecision` to be in storage, they will fail

Impact:

  • * Potential storage corruption during upgrade

    * If the storage slot is reused for another purpose, old data might be interpreted incorrectly

    * Could cause unexpected behavior in the upgraded contract

    * May break compatibility with any external systems that read the storage directly

Proof of Concept

```solidity
// Scenario:
// 1. ThunderLoan deployed with s_feePrecision = 1e18 in storage slot X
// 2. Upgrade to ThunderLoanUpgraded
// 3. ThunderLoanUpgraded doesn't have s_feePrecision in storage
// 4. Storage slot X still contains 1e18
// 5. If ThunderLoanUpgraded uses storage slot X for something else, it will read 1e18
// 6. This could cause incorrect behavior
```

Recommended Mitigation

Ensure storage layout compatibility. Either:
1. Keep `s_feePrecision` as a storage variable in the upgraded contract:
```diff
contract ThunderLoanUpgraded is Initializable, OwnableUpgradeable, UUPSUpgradeable, OracleUpgradeable {
// ... existing code ...
- uint256 public constant FEE_PRECISION = 1e18;
+ uint256 private s_feePrecision;
// ... existing code ...
function initialize(address tswapAddress) external initializer {
__Ownable_init();
__UUPSUpgradeable_init();
__Oracle_init(tswapAddress);
+ s_feePrecision = 1e18;
s_flashLoanFee = 3e15; // 0.3% ETH fee
}
function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) {
//slither-disable-next-line divide-before-multiply
- uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / FEE_PRECISION;
+ uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / s_feePrecision;
//slither-disable-next-line divide-before-multiply
- fee = (valueOfBorrowedToken * s_flashLoanFee) / FEE_PRECISION;
+ fee = (valueOfBorrowedToken * s_flashLoanFee) / s_feePrecision;
}
function updateFlashLoanFee(uint256 newFee) external onlyOwner {
- if (newFee > FEE_PRECISION) {
+ if (newFee > s_feePrecision) {
revert ThunderLoan__BadNewFee();
}
s_flashLoanFee = newFee;
}
+
+ function getFeePrecision() external view returns (uint256) {
+ return s_feePrecision;
+ }
}
```
2. Or use a migration function to clear the old storage slot if converting to a constant is intentional.
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!