Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

[L-03] Centralization risk — owner controls fees, token list, and upgrade

sharonkosgei4

Root + Impact

Description

Three critical protocol functions are gated solely behind onlyOwner:

Function Risk if owner is malicious or compromised
setAllowedToken() line 227 Add malicious token, delist legitimate ones
updateFlashLoanFee() line 253 Set fee to 100% blocking all flash loans
_authorizeUpgrade() line 280 Upgrade proxy to malicious implementation

Risk

Likelihood:

  • Requires the owner's private key to be compromised or the owner to act maliciously; not exploitable by external parties.

Impact:

  • A single compromised private key can effectively rug the entire protocol.

Proof of Concept

All three critical functions are callable by a single EOA with no delay or multi-party approval:

// owner can brick flash loans instantly
thunderLoan.updateFlashLoanFee(s_feePrecision); // sets fee to 100%
// owner can upgrade proxy to a malicious implementation with no notice
proxy.upgradeTo(address(maliciousImpl));
// owner can delist all supported tokens, freezing LP redemptions
thunderLoan.setAllowedToken(token, false);

Recommended Mitigation

Replace the EOA owner with a Gnosis Safe multi-sig and wrap upgrade and fee functions behind a timelock so LPs have a window to exit before changes take effect. Parameter changes should require multiple signers to execute.

  • Use a multi-sig (e.g. Gnosis Safe) as the owner address rather than an EOA

  • Apply a timelock on upgradeTo and updateFlashLoanFee so LPs have time to exit before changes take effect

  • Consider a governance mechanism for protocol parameter changes

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!