Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

ThunderLoanUpgraded Removes s_feePrecision Causing Storage Collision — s_flashLoanFee Corrupted to 100%

bamgboseoluwole83

Root + Impact

Description

  • Describe the normal behavior in one or more sentences

  • Explain the specific issue or problem in one or more sentences

/## Description
- The protocol is designed to upgrade seamlessly using proxy patterns while maintaining consistent storage variables across sequential contract implementations.
- `ThunderLoanUpgraded.sol` removes the `s_feePrecision` storage variable entirely and introduces a `FEE_PRECISION` constant in its place. Because constants do not occupy state storage slots, this causes a storage collision after an upgrade. The downstream variable `s_flashLoanFee` shifts down into the old slot previously held by `s_feePrecision`, inheriting its old initialization value (`1e18`), which scales the protocol's active fee rate to 100%.
```solidity
// @> Root cause: Removal of s_feePrecision shifts the storage slot layout for downstream variables
contract ThunderLoanUpgraded is Initializable, UUPSUpgradeable {
// uint256 private s_feePrecision; // REMOVED WITHOUT PLACEHOLDER OR GAP
uint256 private s_flashLoanFee; // Now occupies the old slot containing 1e18
}
```
## Risk
Likelihood:
- This issue will occur immediately following the execution of the `upgradeTo` sequence on the proxy infrastructure.
- Attempting to reset or salvage the state via `updateFlashLoanFee` fails permanently because the sanity validation checks prevent inputs matching or exceeding the newly established boundary parameters.
Impact:
- The flash loan fee parameter is permanently locked at 100% of the entire borrowed principal amount.
- The protocol becomes completely unusable for capital consumers, breaking the core feature set of the ecosystem.
## Proof of Concept
Add this validation function to your Foundry verification suite:
```solidity
function test_PoC1_UpgradeStorageCollision() public {
// Deploy ThunderLoan + proxy
ThunderLoan implementation1 = new ThunderLoan();
ERC1967Proxy proxy = new ERC1967Proxy(address(implementation1), "");
ThunderLoan loan = ThunderLoan(address(proxy));
loan.initialize(address(poolFactory));
uint256 feeBefore = loan.getFee(); // 3e15 = 0.3%
// Upgrade to ThunderLoanUpgraded
ThunderLoanUpgraded implementation2 = new ThunderLoanUpgraded();
vm.prank(owner);
loan.upgradeTo(address(implementation2));
uint256 feeAfter = ThunderLoanUpgraded(address(proxy)).getFee();
// feeAfter = 1e18 (100%) — corrupted by old s_feePrecision slot
assertEq(feeAfter, 1e18);
}
```
## Recommended Mitigation
Preserve the sequential storage slot sequence by inserting a explicitly named placeholder padding variable directly inside the exact slot index previously occupied by the removed variable:
```solidity
<<<<
// s_feePrecision removed entirely
====
uint256 private __gap_s_feePrecision; // Occupies the old slot to maintain layout consistency
>>>>
```
/ Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • Reason 2

Impact:

  • Impact 1

  • Impact 2

Proof of Concept

Recommended Mitigation

- remove this code
+ add this code
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!