Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Storage Collision in `ThunderLoanUpgraded` Causes Incorrect Flash Loan Fee After Upgrade

akovachev7

Root + Impact

According to the protocol specification, upgrading from ThunderLoan to ThunderLoanUpgraded should preserve all protocol state and functionality, including the flash loan fee configuration.

A storage layout incompatibility between ThunderLoan and ThunderLoanUpgraded causes the flash loan fee to be incorrectly read from the wrong storage slot after upgrade, breaking the protocol's economic model and making flash loans prohibitively expensive.

Description

The original ThunderLoan contract defines storage variables in the following order:

// ThunderLoan.sol - Storage Layout
mapping(IERC20 => AssetToken) public s_tokenToAssetToken; // Slot 0
uint256 private s_feePrecision; // Slot 1
uint256 private s_flashLoanFee; // Slot 2
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning; // Slot 3

During initialization, the fee is set to 0.3% (3e15) in slot 2, and the fee precision is set to 1e18 in slot 1:

function initialize(address tswapAddress) external initializer {
__Ownable_init();
__UUPSUpgradeable_init();
__Oracle_init(tswapAddress);
s_feePrecision = 1e18; // Stored in slot 1
s_flashLoanFee = 3e15; // Stored in slot 2 - 0.3% ETH fee
}

However, the upgraded ThunderLoanUpgraded contract changes the storage layout by removing s_feePrecision as a storage variable and converting it to a constant:

// ThunderLoanUpgraded.sol - Storage Layout
mapping(IERC20 => AssetToken) public s_tokenToAssetToken; // Slot 0
//@audit-issue: s_feePrecision removed from storage!
@>uint256 private s_flashLoanFee; // Now in Slot 1 (was Slot 2)
uint256 public constant FEE_PRECISION = 1e18; // Not stored (constant)
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning; // Slot 2

After the upgrade, when getFee() is called, it reads s_flashLoanFee from slot 1, which contains the old s_feePrecision value (1e18), instead of slot 2 which contains the actual fee (3e15):

function getFee() external view returns (uint256) {
return s_flashLoanFee; // Reads from slot 1 = 1e18 instead of slot 2 = 3e15
}

Risk

Likelihood: High

  • The upgrade will be executed as part of the normal protocol lifecycle

  • The storage collision occurs immediately upon upgrade with 100% certainty

  • No special conditions are required for the vulnerability to manifest

Impact: High

  • Flash loan fee incorrectly changes from 0.3% (3e15) to 100% (1e18 / 1e18)

  • Protocol becomes economically non-viable as flash loans cost 100% of the borrowed amount

  • Original fee configuration (3e15) is permanently lost and cannot be recovered

  • All flash loan functionality effectively breaks, violating core protocol requirements

  • Liquidity providers lose expected yield as no users will take flash loans at 100% fee

Proof of Concept

The test testThunderLoanUpgrade_Should_Match() demonstrates this vulnerability:

function testThunderLoanUpgrade_Should_Match() public {
uint256 flashLoanFeeBeforeUpgrade = thunderLoan.getFee();
vm.prank(thunderLoan.owner());
thunderLoan.upgradeTo(address(thunderLoanUpgraded));
uint256 flashloanFeeAfterUpgrade = thunderLoan.getFee();
assertEq(flashLoanFeeBeforeUpgrade, flashloanFeeAfterUpgrade);
}

Test Output:

[FAIL: assertion failed: 3000000000000000 != 1000000000000000000] testThunderLoanUpgrade_Should_Match()
Expected: 3000000000000000 (0.3% fee - 3e15)
Actual: 1000000000000000000 (100% fee - 1e18)

Run the test with:

forge test --match-test testThunderLoanUpgrade_Should_Match -vv

Recommended Mitigation

To prevent this storage collision vulnerability, maintain the same storage layout in ThunderLoanUpgraded by keeping s_feePrecision as a storage variable, even if it's no longer actively used:

contract ThunderLoanUpgraded is Initializable, OwnableUpgradeable, UUPSUpgradeable, OracleUpgradeable {
// ... error declarations and using statements ...
/*//////////////////////////////////////////////////////////////
STATE VARIABLES
//////////////////////////////////////////////////////////////*/
mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
- // The fee in WEI, it should have 18 decimals. Each flash loan takes a flat fee of the token price.
+ uint256 private s_feePrecision; // Keep for storage layout compatibility
uint256 private s_flashLoanFee; // 0.3% ETH fee
uint256 public constant FEE_PRECISION = 1e18;
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;

Alternatively, use OpenZeppelin's storage gap pattern to reserve storage slots for future upgrades:

mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
uint256 private s_feePrecision;
uint256 private s_flashLoanFee;
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;
// Reserve 50 storage slots for future upgrades
uint256[50] private __gap;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!