Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

[M-2] Flash Loan Fee Can Be Bypassed via Integer Truncation

vegazeronos

Flash Loan Fee Can Be Bypassed via Integer Truncation Causing Protocol Dont Get Any Fee

Description

The flash loan fee is calculated as:

fee = (valueOfBorrowedToken * s_flashLoanFee) / s_feePrecision;
Due to integer division truncation, borrowing sufficiently small amounts (e.g., valueOfBorrowedToken = 3e2) results in a calculated fee of zero.

This allows borrowers to repeatedly take flash loans without paying any fee. If s_flashLoanFee is reduced in the future, the exploitable borrowing threshold increases, further worsening the issue.

Likelihood:

This bug is likely to happen because a very little benefit to the attacker. While the attacker will not pay the fee, but the amount borrowed is so little, from the calculation, the attacker can borrow at maximal 3e2 per one transaction.
If this run on ethereum chain and the ethereum chain on heavy traffic, the gas fee might be higher than the benefit of looping this transaction to avoid the fee.

Impact:

The impact is quite significant if the attacker run this attack multiple times. Protocol will not get any of the fees.

Proof of Concept

Here is the formula fee = (valueOfBorrowedToken * s_flashLoanFee) / s_feePrecision;

1. valueOfBorrowedToken= 3e2

2. s_flashLoanFee = 3e15

3. s_feePrecision = 1e18

fee = (3e2 * 3e15) / 1e18 = 0,9 => 0

Recommended Mitigation

1. Add some minimal amount of borrowed token, so things like this will not happen again in the future

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 9 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-01] getCalculatedFee can be 0

## Description getCalculatedFee can be as low as 0 ## Vulnerability Details Any value up to 333 for "amount" can result in 0 fee based on calculation ``` function testFuzzGetCalculatedFee() public { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, 333 ); assertEq(calculatedFee ,0); console.log(calculatedFee); } ``` ## Impact Low as this amount is really small ## Recommendations A minimum fee can be used to offset the calculation, though it is not that important.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!