The ThunderLoan and ThunderLoanUpgraded contracts can be upgraded instantly by the owner without any timelock mechanism or advance notification to users. This violates the principle of user protection in upgradeable decentralized protocols.
In the contract, the _authorizeUpgrade function allows the owner to push a new implementation immediately:
Solidity
Because there is zero delay between the proposal of an upgrade and its execution, users have zero time to review the new implementation, withdraw their funds, or adjust their positions before potentially breaking or malicious changes take effect.
Severity: Medium
User Funds at Risk: Users cannot protect their funds before an upgrade is executed.
Rug-Pull Potential: A compromised owner key or a malicious owner can instantly upgrade the proxy to a malicious implementation that drains all protocol liquidity in a single transaction.
Best Practices Violation: It violates core DeFi best practices for upgradeable protocols.
Loss of Trust: The centralization vector erodes user trust and protocol credibility.
The following test demonstrates that the protocol owner can deploy a new implementation and upgrade the contract in the exact same transaction, leaving users with 0 seconds to react.
Solidity
Implement a Timelock controller to enforce a mandatory delay between scheduling an upgrade and executing it. This gives users a grace period (e.g., 48 hours) to exit the protocol if they disagree with the proposed changes.
Use OpenZeppelin's TimelockController or implement a custom delay mechanism as shown below:
Solidity
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.