Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

Submission Details

Impact: low

Likelihood: high

Invalid

[L-01] Reentrancy guard set after external call

s_currentlyFlashLoaning[token] = true is set at line 198, after the external call assetToken.updateExchangeRate(fee) at line 194. This violates the Checks-Effects-Interactions pattern — the guard meant to signal an active flash loan is not in place during the first external call.
While Slither classifies this as reentrancy-benign no direct fund loss proven from this specific ordering alone. It compounds with H-01 and reduces the reliability of the reentrancy guard as a defence mechanism.

194: assetToken.updateExchangeRate(fee); // external call — guard not yet set

198: s_currentlyFlashLoaning[token] = true; // guard set too late

Set s_currentlyFlashLoaning[token] = true before any external call:

+ s_currentlyFlashLoaning[token] = true;

assetToken.updateExchangeRate(fee);

assetToken.transferUnderlyingTo(receiverAddress, amount);

receiverAddress.functionCall(...);

- s_currentlyFlashLoaning[token] = true;

Updates

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

This contest has a flat reward structure with the following payouts:

The contest is live. Earn rewards by submitting a finding.

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.