Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Storage Layout Collision on V1→V2 Upgrade (Merged)

samuraiigintokii

[H-4] Storage Layout Collision on V1→V2 Upgrade (Merged)

Field	Value
Severity	High
Location	`src/upgradedProtocol/ThunderLoanUpgraded.sol` state variable declarations vs `src/protocol/ThunderLoan.sol`

Root Cause

Replacing s_feePrecision (a uint256 private state variable) with uint256 public constant FEE_PRECISION removes a storage slot. Constants do not occupy storage slots in Solidity, shifting every subsequent variable declaration by one slot.

V1 layout:

Slot	Variable	Value
N	`s_tokenToAssetToken` (mapping)	—
N+1	(implicit ERC1967 / Ownable gap)	—
N+2	`uint256 private s_feePrecision`	`1e18`
N+3	`uint256 private s_flashLoanFee`	`3e15`
N+4	`mapping s_currentlyFlashLoaning`	—

V2 layout (broken):

Slot	Variable	Reads From V1
N	`s_tokenToAssetToken` (mapping)	✅ Correct
N+1	(implicit gap)	✅ Correct
N+2	`uint256 private s_flashLoanFee`	❌ Reads V1's `s_feePrecision` = `1e18`
N+3	`mapping s_currentlyFlashLoaning`	❌ Reads V1's `s_flashLoanFee` = `3e15`
N+4	(no variable)	V1's real flash-loan state orphaned

Downstream Impacts

(a) 100% flash loan fee (H-4):
getCalculatedFee reads s_flashLoanFee as 1e18 (V1's s_feePrecision). The calculation becomes:

fee = (valueOfBorrowedToken * 1e18) / 1e18 = valueOfBorrowedToken

Every flash loan charges 100% , borrower must repay double the loan amount. Protocol is functionally bricked.

(b) Flash loan state corruption (H-5):
V2's s_currentlyFlashLoaning mapping at slot N+3 reads V1's s_flashLoanFee value of 3e15 which is a raw uint256, not a valid mapping. V1's actual flash-loan state lives at slot N+4, which V2 has no variable referencing.

Consequences:

Mid-loan bricking: If a flash loan was in progress during upgrade, repay() checks the wrong slot, finds false, and reverts. Borrower cannot repay , thus funds are stuck forever.
Storage corruption: Every new flash loan after upgrade writes to slot N+3, which initially contained 3e15. This corrupts the mapping state on every write.

Impact

Protocol is unusable after upgrade (100% fees).
Active flash loan borrowers lose their funds during upgrade.
Permanent storage corruption affects all post-upgrade flash loans.

Proof of Concept

contract H5StorageCollisionPoC is BaseTest {

ThunderLoanUpgraded public upgradedThunderLoan;

function test_POC_H5_storage_collision() public {

// 1. Setup V1

vm.startPrank(thunderLoan.owner());

thunderLoan.setAllowedToken(tokenA, true);

vm.stopPrank();

// 2. Record V1 fee (should be 0.3%)

uint256 borrowAmt = 100e18;

uint256 feeV1 = thunderLoan.getCalculatedFee(tokenA, borrowAmt);

assertEq(feeV1, 3e17, "V1 fee should be exactly 0.3%");

// 3. Upgrade to V2

ThunderLoanUpgraded upgradedImpl = new ThunderLoanUpgraded();

vm.startPrank(thunderLoan.owner());

thunderLoan.upgradeTo(address(upgradedImpl));

vm.stopPrank();

upgradedThunderLoan = ThunderLoanUpgraded(address(thunderLoan));

// 4. Record V2 fee (now 100% due to storage collision)

uint256 feeV2 = upgradedThunderLoan.getCalculatedFee(tokenA, borrowAmt);

assertEq(feeV2, borrowAmt, "V2 fee should be 100% of loan amount due to storage collision");

}

Recommended Mitigation

Never change a private state variable to a constant in an upgradeable contract. Preserve the storage slot even if the variable becomes unused:

// ThunderLoanUpgraded.sol

-uint256 public constant FEE_PRECISION = 1e18;

+/// @dev PRESERVED for storage layout compatibility with V1. Unused in V2.

+uint256 private __reserved_feePrecision_slot;

Alternative: Namespaced storage (ERC-7201)
Use keccak256(abi.encode(uint256(keccak256("thunderloan.storage")) - 1)) & ~bytes32(uint256(0xff)) as the storage base. This decouples storage layout from contract inheritance and variable declaration order.

If migration is required:
Implement a one-time migration function that reads old slots and writes to new ones:

function migrateStorage() external onlyOwner {

// Read old s_currentlyFlashLoaning from V1 slot N+4

// Write to new slot if needed

// Must be called before any flash loan operations post-upgrade

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!