Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-02] Storage collision in ThunderLoanUpgraded breaks fee and flash loan guard

sharonkosgei4

Root + Impact

Description

  • ThunderLoanUpgraded removes the s_feePrecision variable that exists in ThunderLoan.

  • Because the proxy shares storage with the implementation via delegatecall, removing a variable causes every subsequent variable to shift up by one slot. The original storage values written by ThunderLoan are then read
    at the wrong offsets by ThunderLoanUpgraded.

ThunderLoan storage layout (original):

Slot Variable Value after deploy
201 s_poolFactory TSwap factory address
202 s_tokenToAssetToken token → AssetToken map
203 s_feePrecision 1e18 (precision constant)
204 s_flashLoanFee e.g. 3e15 (0.3%)
205 s_currentlyFlashLoaning false

ThunderLoanUpgraded storage layout (after upgrade):

Slot Variable What it actually reads
201 s_poolFactory correct
202 s_tokenToAssetToken correct
203 s_flashLoanFee reads 1e18 ← s_feePrecision value
204 s_currentlyFlashLoaning reads 3e15 ← old fee value

  • After the upgrade, s_flashLoanFee returns 1e18 (100% fee) instead of 3e15 (0.3%), and s_currentlyFlashLoaning reads a non-zero uint256 as a bool mapping, permanently corrupting the flash loan guard.

Risk

Likelihood:

  • The collision occurs automatically on upgrade with no additional conditions.

  • Any deployment of ThunderLoanUpgraded as a replacement implementation will trigger the broken slot layout immediately.

Impact:

After the upgrade is applied:

  • Flash loan fees become 1e18 (100%) no borrower can afford a loan, effectively
    bricking the flash loan functionality.

  • The s_currentlyFlashLoaning guard is corrupted, and reentrancy protection breaks.

  • All LP deposits and redemptions that depend on s_flashLoanFee produce wrong values.

  • The protocol is non-functional post-upgrade until redeployed from scratch.

Proof of Concept

Removing s_feePrecision shifts every variable after it up by one slot. The proxy storage is unchanged, so s_flashLoanFee now reads from the slot that held s_feePrecision (1e18) instead of the intended fee value (3e15). No attacker action is required; the collision takes effect the moment the owner calls upgradeTo.

// Before upgrade
assert(thunderLoan.s_flashLoanFee() == 3e15); // 0.3%
// Owner upgrades proxy to ThunderLoanUpgraded
proxy.upgradeTo(address(thunderLoanUpgraded));
// After upgrade — same proxy storage, new implementation reads wrong slot
assert(thunderLoan.s_flashLoanFee() == 1e18); // reads s_feePrecision slot → 100%

Recommended Mitigation

  • Never remove or reorder state variables between implementation versions.

  • New variables must only be appended at the end of the layout.

  • To fix ThunderLoanUpgraded, keep s_feePrecision in its original slot position, even if the variable is no longer needed, or replace it with a placeholder:

+ uint256 private s_feePrecision; // preserved — storage slot compatibility
uint256 private s_flashLoanFee;
mapping(IERC20 => bool) private s_currentlyFlashLoaning;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!