Thunder Loan

AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Submission Details
Severity: high
Valid

Storage Collision in Contract Upgrade bricks protocol by setting flash loan fees to 100%

[C-1] Storage Collision in Contract Upgrade bricks protocol by setting flash loan fees to 100%

Description

The upgrade from ThunderLoan.sol to ThunderLoanUpgraded.sol introduces a critical storage layout mismatch. In upgradeable contracts (using proxy patterns), the storage layout must be strictly preserved across implementations.

The developer removed the s_feePrecision state variable and repositioned s_flashLoanFee in the upgraded contract, which causes a devastating storage slot collision.

ThunderLoan.sol (Original Storage Layout):

  • Slot 0: s_tokenToAssetToken

  • Slot 1: s_feePrecision (Value = 1e18)

  • Slot 2: s_flashLoanFee (Value = 3e15)

  • Slot 3: s_currentlyFlashLoaning

ThunderLoanUpgraded.sol (Upgraded Storage Layout):

  • Slot 0: s_tokenToAssetToken

  • Slot 1: s_flashLoanFeeCOLLISION

  • Slot 2: s_currentlyFlashLoaning

After the upgrade, the new s_flashLoanFee variable in Slot 1 incorrectly reads the stale value left by s_feePrecision(which is 1e18 or 100%), instead of its intended 3e15 (0.3%).

Risk

Severity: Critical

Because the flash loan fee variable now reads 1e18 from the proxy's storage, the fee instantly becomes 100% of the borrowed amount.

  • No user or arbitrageur will ever take out a flash loan due to the impossible fee.

  • The core functionality of the protocol is entirely bricked.

  • Liquidity providers cannot earn yield, leading to a complete economic collapse of the protocol.

Proof of Concept

The following test demonstrates how the fee jumps to 100% immediately after the upgrade due to the storage collision.

Solidity

// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
import { Test } from "forge-std/Test.sol";
import { ThunderLoan } from "../../src/protocol/ThunderLoan.sol";
import { ThunderLoanUpgraded } from "../../src/upgradedProtocol/ThunderLoanUpgraded.sol";
contract StorageCollisionTest is Test {
ThunderLoan thunderLoan;
function test_StorageCollisionAfterUpgrade() public {
// Before upgrade: Fee reads correctly from Slot 2
uint256 feeBefore = thunderLoan.getFee();
assertEq(feeBefore, 3e15); // 0.3% - correct
// Perform upgrade to the new implementation
ThunderLoanUpgraded upgraded = new ThunderLoanUpgraded();
thunderLoan.upgradeTo(address(upgraded));
// After upgrade: s_flashLoanFee (now in Slot 1) reads the old s_feePrecision value
uint256 feeAfter = ThunderLoanUpgraded(address(thunderLoan)).getFee();
assertEq(feeAfter, 1e18); // BUG: Fee is now 100%!
// The protocol is now practically unusable
}
}

Recommended Mitigation

When upgrading contracts, never alter the order of existing storage variables, and never remove them. If a variable is no longer needed, it must be left in the code or renamed to mark it as deprecated to maintain the storage slot layout.

Option 1: Preserve original slot order Keep s_feePrecision in Slot 1 to maintain the layout, and define the new constant correctly (constants do not use storage slots).

Solidity

contract ThunderLoanUpgraded {
mapping(IERC20 => AssetToken) public s_tokenToAssetToken; // Slot 0
// KEEP ORIGINAL SLOT ORDER
uint256 private s_feePrecision; // Slot 1 - deprecated but must stay
uint256 private s_flashLoanFee; // Slot 2
uint256 public constant FEE_PRECISION = 1e18; // Constants don't take storage slots
mapping(IERC20 token => bool) private s_currentlyFlashLoaning; // Slot 3
}

Option 2: Utilize OpenZeppelin Storage Gaps for Future Upgrades It is highly recommended to append storage gaps at the end of upgradeable contracts to prevent future collisions if the contract is inherited.

Solidity

// In the contract implementation:
uint256[50] private __gap; // Reserve storage slots for future upgrades
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!