Submission Details
Impact:
Likelihood:
All Admin Functions Have No Timelock
[M-2] All Admin Functions Have No Timelock
| Field | Value |
|---|---|
| Severity | Medium |
| Location | ThunderLoan.sol::setAllowedToken, updateFlashLoanFee, _authorizeUpgrade |
Description
All three owner-restricted functions execute immediately with no delay. No timelock, no multi-sig, no governance vote.
Impact
The owner can unilaterally at any moment:
Upgrade to a malicious implementation → drain all funds.
Disallow all tokens → brick all LP redemptions.
Set fee to 100% or 0%.
Recommended Mitigation
+uint256 public constant ADMIN_TIMELOCK = 2 days;
+uint256 public s_feeUpdateScheduledAt;
+uint256 public s_pendingFee;
+
+function scheduleFeeUpdate(uint256 newFee) external onlyOwner {
+ s_feeUpdateScheduledAt = block.timestamp + ADMIN_TIMELOCK;
+ s_pendingFee = newFee;
+}
+
+function executeFeeUpdate() external onlyOwner {
+ if (block.timestamp < s_feeUpdateScheduledAt) revert TimelockNotElapsed();
+ s_flashLoanFee = s_pendingFee;
+}
Apply the same schedule/execute pattern to setAllowedToken and _authorizeUpgrade. Consider multi-sig for the upgrade path.
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.