IThunderLoan.sol declares repay(address token, uint256 amount) while the actual implementation uses repay(IERC20 token, uint256 amount). Although both types encode identically in the ABI (both are address at the ABI level, so the function selector is the same), this creates a type-level mismatch that confuses integrators.
Flash loan receivers that import IThunderLoan and call IThunderLoan(thunderLoan).repay(tokenAddress, amount) will work at runtime (same ABI encoding), but Solidity's type checker treats these as different types. A receiver written as:
This works because ABI encoding is identical, but any developer reading the interface assumes address while the contract expects IERC20. If the interface is used for type-safe internal routing or proxy delegation, the mismatch could cause subtle issues.
Likelihood: High — any developer building a flash loan receiver will encounter this mismatch when referencing the interface.
Impact: Low — no direct fund loss since ABI encoding is identical. But it violates Solidity type safety guarantees and creates confusion for integrators, potentially leading to bugs in receiver contracts.
Output: Both selectors match (0x...), confirming ABI compatibility. But the source-level type mismatch (address vs IERC20) remains, creating developer confusion.
Align the interface with the implementation:
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.