Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

# [L-03] Empty `_authorizeUpgrade()` — No Upgrade Safety Checks

kivanov

[L-03] Empty `_authorizeUpgrade()` — No Upgrade Safety Checks

Scope

ThunderLoan.sol
ThunderLoanUpgraded.sol

Description

The UUPS _authorizeUpgrade() function has an empty body, relying solely on the onlyOwner modifier inherited from OwnableUpgradeable. There are no additional safety checks such as timelock enforcement, multi-sig requirement, or new implementation validation.

@> function _authorizeUpgrade(address newImplementation) internal override onlyOwner { }

Risk

Likelihood: Low — requires owner key compromise.
Impact: High — a compromised owner key can immediately upgrade to a malicious implementation without any delay or validation.
Severity: Low

Proof of Concept

A compromised owner can call upgradeTo(maliciousAddress) in a single transaction, immediately replacing the entire protocol logic without any warning, timelock, or governance process.

function test_instant_upgrade_no_timelock() public {

// Owner can upgrade immediately — no delay

ThunderLoanUpgraded malicious = new ThunderLoanUpgraded();

thunderLoan.upgradeTo(address(malicious)); // Immediate — no safety checks

}

Recommended Mitigation

Add implementation validation inside _authorizeUpgrade() to ensure the new implementation is non-zero and conforms to the expected interface. This prevents accidentally upgrading to an incompatible or empty contract. For additional safety, consider wrapping the upgrade behind a timelock or multi-sig governance contract.

function _authorizeUpgrade(address newImplementation) internal override onlyOwner {

+ require(newImplementation != address(0), "Zero address");

+ require(IERC165(newImplementation).supportsInterface(type(IThunderLoan).interfaceId),

+ "Invalid implementation");

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 20 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!