Thunder Loan

AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Submission Details
Severity: high
Valid

UUPS Storage Layout Corruption

Root + Impact

Upgrading an already deployed ThunderLoan proxy to ThunderLoanUpgraded corrupts the storage layout

Description

The initial storage Layout implementation stores:
Slot Variable
... https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/ThunderLoan.sol#L93
... inherited OZ storage
N https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/ThunderLoan.sol#L96
N+1 https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/ThunderLoan.sol#L97
N+2 https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/ThunderLoan.sol#L99
Initialization writes
s_feePrecision = 1e18;
s_flashLoanFee = 3e15;
However in Upgraded Layout, The upgraded implementation removes https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/upgradedProtocol/ThunderLoanUpgraded.sol#L97 and replaces it with https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/upgradedProtocol/ThunderLoanUpgraded.sol#L96.
Therefore the new layout becomes:
constants do not occupy storage slots
Slot Variable
... https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/upgradedProtocol/ThunderLoanUpgraded.sol#L93
... inherited OZ storage
N https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/upgradedProtocol/ThunderLoanUpgraded.sol#L96
N+1 https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/upgradedProtocol/ThunderLoanUpgraded.sol#L99
As a consequence,
Old Slot N
s_feePrecision = 1e18
New Slot N
s_flashLoanFee
The upgraded implementation interprets the previous precision value as the flash loan fee.
Storage Visualization
Before Upgrade
Slot Value
N 1e18 (s_feePrecision)
N+1 3e15 (s_flashLoanFee)
After Upgrade
Slot Variable
N s_flashLoanFee
Reading getFee() simply returns 1e18 instead of 3e15
Consequence
Flash loan fee becomes:
fee =
(valueBorrowed * 1e18)
/1e18
which simplifies to
fee = valueBorrowed
Instead of charging
0.3%
the protocol now charges
100%
Every flash loan becomes economically unusable.
Likewise,
updateFlashLoanFee()
writes into Slot N.
Future upgrades expecting the old layout become increasingly unsafe.
// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

High.
The protocol explicitly uses the UUPS upgrade pattern.
If governance upgrades to this implementation, storage corruption occurs deterministically.
No attacker interaction is required.

Impact:

Immediately after upgrade:
s_flashLoanFee no longer stores the configured fee.
It instead reads the previous value of s_feePrecision.
Every flash loan fee calculation becomes incorrect.
The owner can no longer reason about or correctly configure protocol fees.
Existing protocol state becomes incompatible with the new implementation.
Although no user funds are directly stolen, this permanently corrupts protocol accounting and breaks an essential economic parameter after upgrade.

Proof of Concept

Original Deployment
Initialization stores
Slot N
1e18
Slot N+1
3e15
Calling
getFee()
returns
3000000000000000
Upgrade
Owner executes
upgradeTo(address(new ThunderLoanUpgraded()))
No migration occurs.
Storage remains
Slot N
1e18
Slot N+1
3e15
Reading State
The upgraded implementation now interprets Slot N as
s_flashLoanFee
Therefore
getFee()
returns
1000000000000000000
instead of
3000000000000000
Flash Loan
Suppose
Borrow value = 50 ETH
Fee calculation becomes
fee
=
50 × 1e18
/
1e18
=
50 ETH
Expected fee
0.15 ETH
Actual fee
50 ETH
The protocol's fee logic is completely broken after upgrade.
Root Cause
A state variable was removed from the middle of the storage layout.
Original
uint256 s_feePrecision;
uint256 s_flashLoanFee;
became
Upgraded
uint256 s_flashLoanFee;
uint256 constant FEE_PRECISION = 1e18;
Constants do not consume storage, causing all subsequent storage variables to shift upward.
This violates OpenZeppelin's UUPS upgrade storage compatibility requirements.

Recommended Mitigation

Never remove or reorder storage variables in upgradeable contracts.
Instead, preserve the original layout:
uint256 private s_feePrecision;
uint256 private s_flashLoanFee;
If the precision is intended to become immutable, simply stop using s_feePrecision while leaving the storage slot intact:
uint256 private s_feePrecision; // reserved for storage compatibility
uint256 public constant FEE_PRECISION = 1e18;
Alternatively, reserve storage using storage gaps (uint256[50] private __gap;) and strictly follow OpenZeppelin's upgrade-safe storage layout guidelines.
uint256 private s_feePrecision; - remove this code
uint256 public constant FEE_PRECISION = 1e18;- remove this code
uint256 private s_feePrecision; + add this code
uint256 private s_flashLoanFee;+ add this code
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!