Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Storage Slot Collision Causes 100% Flash Loan Fees

arlen73961845
## Bug Description
### Brief/Intro
Upgrading from `ThunderLoan` to `ThunderLoanUpgraded` causes a storage slot collision where `s_flashLoanFee` reads the old `s_feePrecision` value (1e18), resulting in 100% flash loan fees. This effectively bricks the protocol as all flash loans would require 2x repayment.
### Details
- **Location**: `ThunderLoanUpgraded.sol` storage layout vs `ThunderLoan.sol`
- **Root Cause**: In the upgraded contract, `s_feePrecision` was removed as a state variable and made a constant (`FEE_PRECISION`), shifting all subsequent storage slots.
**Storage Layout Comparison**:
```
ThunderLoan (Original):
Slot N: s_tokenToAssetToken (mapping)
Slot N+1: s_feePrecision = 1e18
Slot N+2: s_flashLoanFee = 3e15
ThunderLoanUpgraded:
Slot N: s_tokenToAssetToken (mapping)
Slot N+1: s_flashLoanFee ← READS 1e18 (COLLISION!)
(N/A): FEE_PRECISION is constant (no slot)
Slot N+2: s_currentlyFlashLoaning (mapping)
```
**Corrupted Fee Calculation** (`ThunderLoanUpgraded.sol:244-248`):
```solidity
function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) {
uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / FEE_PRECISION;
// s_flashLoanFee is now 1e18 instead of 3e15!
fee = (valueOfBorrowedToken * s_flashLoanFee) / FEE_PRECISION;
// fee = (amount * 1e18) / 1e18 = amount (100% fee)
}
```
### Exploit Steps
**Step 1: [State Change]**
The protocol is operating normally with ThunderLoan. Flash loan fee is correctly set to 0.3% (s_flashLoanFee = 3e15, s_feePrecision = 1e18). Liquidity providers have deposited funds and users are taking flash loans.
**Step 2: [Mathematical Precondition]**
The owner decides to upgrade the contract to ThunderLoanUpgraded, which contains a "fix" that makes `s_feePrecision` a constant instead of a state variable. This removes the storage slot but shifts subsequent slots.
**Step 3: [Blockage Analysis]**
After upgrade, the proxy's storage at Slot N+1 still contains the old value 1e18 (from s_feePrecision). The new logic reads this as s_flashLoanFee. When getCalculatedFee() is called: `fee = (amount × 1e18) / 1e18 = amount` — a 100% fee rate.
**Step 4: [Impact Realization]**
All flash loan attempts now require 200% of the borrowed amount to repay. Most flash loan receiver contracts have limited token allowances and expect ~0.3% fees. They cannot repay 100% extra, causing all transactions to revert. The protocol is effectively DoS'd.
## Impact
**Critical Severity**
* **Risk Funds Calculation**:
* **Immediate DoS**: 100% of flash loan functionality disabled
* **LP Funds**: Not directly at risk, but yield generation stops
* **Integration Breakage**: All protocols integrating ThunderLoan flash loans break
* **Protocol DoS**: Flash loans become impossible as no sane borrower pays 100% fees
* **Revenue Loss**: Protocol loses all flash loan fee revenue
* **Reputation Damage**: Upgrade causing immediate breakage destroys trust
## Risk Breakdown
This vulnerability triggers automatically upon upgrade with no attacker required. It's a self-inflicted DoS through a storage layout error.
- Difficulty to Exploit: **N/A** (automatic, no exploit needed)
- Weakness: CWE-787 (Out-of-bounds Write) / Storage Layout Mismatch
## Recommendation
Preserve storage slot compatibility by keeping `s_feePrecision` as a placeholder or using storage gaps.
```diff
contract ThunderLoanUpgraded is ... {
mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
+ // PRESERVED FOR STORAGE COMPATIBILITY - DO NOT REMOVE
+ uint256 private __deprecated_feePrecision;
+
uint256 private s_flashLoanFee;
uint256 public constant FEE_PRECISION = 1e18;
mapping(IERC20 => bool) private s_currentlyFlashLoaning;
```
Or use OpenZeppelin's storage gap pattern:
```solidity
uint256[50] private __gap; // Reserve slots for future upgrades
```
## Vulnerable Code Locations
### ThunderLoanUpgraded.sol - Storage Variables (L93-99)
```solidity
mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
// The fee in WEI, it should have 18 decimals.
uint256 private s_flashLoanFee; // 0.3% ETH fee // ← SLOT COLLISION
uint256 public constant FEE_PRECISION = 1e18; // ← Constant, no slot!
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;
```
## Proof of Concept
See complete PoC file: [StorageCollisionPoC.t.sol]()
```solidity
// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
import { Test, console } from "forge-std/Test.sol";
import { ThunderLoan } from "../../src/protocol/ThunderLoan.sol";
import { ThunderLoanUpgraded } from "../../src/upgradedProtocol/ThunderLoanUpgraded.sol";
import { ERC20Mock } from "@openzeppelin/contracts/mocks/ERC20Mock.sol";
import { MockPoolFactory } from "../../test/mocks/MockPoolFactory.sol";
import { ERC1967Proxy } from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
/**
* @title H-02: Storage Slot Collision PoC
* @notice Demonstrates 100% fee after upgrade due to storage slot mismatch
*/
contract StorageCollisionPoC is Test {
ThunderLoan thunderLoan;
ThunderLoanUpgraded thunderLoanUpgraded;
MockPoolFactory mockPoolFactory;
ERC1967Proxy proxy;
ERC20Mock tokenA;
function setUp() public {
ThunderLoan implementation = new ThunderLoan();
mockPoolFactory = new MockPoolFactory();
tokenA = new ERC20Mock();
mockPoolFactory.createPool(address(tokenA));
proxy = new ERC1967Proxy(address(implementation), "");
thunderLoan = ThunderLoan(address(proxy));
thunderLoan.initialize(address(mockPoolFactory));
thunderLoan.setAllowedToken(tokenA, true);
}
function test_Exploit_StorageCollision_100PercentFee() public {
// Step 1: Verify original fee is 0.3%
uint256 originalFee = thunderLoan.getFee();
uint256 originalPrecision = thunderLoan.getFeePrecision();
console.log("Original s_flashLoanFee:", originalFee);
console.log("Original s_feePrecision:", originalPrecision);
assertEq(originalFee, 3e15, "Original fee should be 3e15 (0.3%)");
// Step 2: Upgrade to ThunderLoanUpgraded
thunderLoanUpgraded = new ThunderLoanUpgraded();
thunderLoan.upgradeTo(address(thunderLoanUpgraded));
// Step 3: Verify fee is now 100% (corrupted)
ThunderLoanUpgraded upgraded = ThunderLoanUpgraded(address(proxy));
uint256 corruptedFee = upgraded.getFee();
console.log("Corrupted s_flashLoanFee:", corruptedFee);
assertEq(corruptedFee, 1e18, "Fee corrupted to 1e18 (100%)");
// Step 4: Demonstrate impact
uint256 borrowAmount = 100e18;
uint256 calculatedFee = upgraded.getCalculatedFee(tokenA, borrowAmount);
console.log("Borrow amount:", borrowAmount);
console.log("Calculated fee:", calculatedFee);
assertEq(calculatedFee, borrowAmount, "Fee equals 100% of borrow amount");
}
}
```
**Run Command**:
```bash
forge test --match-contract StorageCollisionPoC -vvv
```
**Expected Output**:
```
[PASS] test_StorageCollision_100PercentFee()
Original fee: 3000000000000000
Corrupted fee: 1000000000000000000
Borrow 100 tokens, fee: 100 tokens
```
## References
- [OpenZeppelin Upgradeable Contracts - Storage Gaps](https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable#storage-gaps)
- [CWE-787: Out-of-bounds Write](https://cwe.mitre.org/data/definitions/787.html)
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 23 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!