Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

Submission Details

Impact: high

Likelihood: high

Invalid

Spot Price Oracle Manipulation Leads to Vault Share Inflation

The protocol calculates flashloan fees based on the market value of the borrowed token using an oracle that returns the token’s price in WETH. This fee is then added to the vault’s exchange rate, increasing the value of AssetToken shares and distributing flashloan revenue proportionally to depositors. Under normal conditions, the oracle price reflects the fair market value of the token, ensuring accurate fee calculation and fair yield distribution.
The protocol relies on a manipulable AMM spot price as its oracle source without any time-weighting, delay, or sanity checks. Because AMM spot prices can be temporarily distorted within a single transaction using large swaps or flashloans, an attacker can artificially inflate or deflate the token price. Since flashloan fees and exchange rate updates depend directly on this price, the attacker can manipulate the oracle to influence fee calculations and vault share value in their favor, potentially enabling economic extraction from the vault.

// The vulnerability originates from this func

function getPriceInWeth(address token) public view returns (uint256) {

address swapPoolOfToken = IPoolFactory(s_poolFactory).getPool(token);

return ITSwapPool(swapPoolOfToken).getPriceOfOnePoolTokenInWeth();

}

Likelihood:

This vulnerability materializes whenever the referenced AMM pool has low or moderate liquidity and allows large swaps to significantly shift the spot price within a single transaction. During periods of low liquidity or concentrated liquidity imbalance, a sufficiently funded attacker can distort the spot price, trigger a flashloan, and influence the exchange rate calculation before the market corrects.

Impact:

Vault Share Inflation: Because the flashloan fee is calculated using a manipulable spot price and directly increases the exchange rate, an attacker can artificially inflate the value of AssetToken shares within a single transaction. This breaks the integrity of the vault’s accounting system.
Artificial exchange rate inflation enables an attacker to redeem shares at an inflated value, extracting more underlying tokens than economically justified. This results in a direct loss of funds from the vault, impacting honest depositors.
The attacker can artificially reduce or increase flashloan fees by distorting the oracle price. This allows them to; Pay significantly lower fees than intended, or Manipulate accounting to create disproportionate value shifts inside the vault.

- remove this code

+ add this code

Updates

ai-first-flight-judge Lead Judge 11 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

This contest has a flat reward structure with the following payouts:

The contest is live. Earn rewards by submitting a finding.

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.