Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

Submission Details

Impact: low

Likelihood: high

Invalid

[M-1] isContract Validation Is Unsafe and Unreliable for Flash Loan Receiver Verification

The protocol relies on isContract to verify that the flash loan receiver is a contract. However, isContract returns false for contracts during construction, making it an unreliable validation mechanism.

An attacker or integrator can execute flash loan logic from within a constructor, causing the validation to behave unexpectedly. Additionally, this pattern breaks compatibility with smart wallets and violates best practices recommended by the Ethereum community.

Rather than providing security, this check introduces fragility and false assumptions about caller behavior.

if (!receiverAddress.isContract())

Likelihood:

Constructor-based execution and advanced contract patterns are common in modern DeFi, making this scenario realistic.

Impact:

Low — Denial of Service and Integration Failure.
While not directly leading to asset loss, this issue prevents valid flash loan use cases and breaks composability with smart-contract wallets and advanced integrations.

Rather than using `isContract` please refer to other choice of mitigation, so it will not happen again in the future

Updates

ai-first-flight-judge Lead Judge about 9 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

This contest has a flat reward structure with the following payouts:

The contest is live. Earn rewards by submitting a finding.

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.