Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

IThunderLoan.repay() declares address parameter but implementation uses IERC20, breaking typed receiver integrations

cybervikink

Root + Impact

Description

The issue

The interface and the implementation declare repay() with different parameter types for token:

// IThunderLoan.sol

// @> Parameter typed as address

function repay(address token, uint256 amount) external;

// ThunderLoan.sol

// @> Parameter typed as IERC20

function repay(IERC20 token, uint256 amount) public;

Risk

Likelihood:

Affects every integrator who follows the provided interface and uses strict Solidity typing
The mismatch is invisible at runtime but causes compile errors in correctly-typed receiver contracts

Impact:

Receiver contracts that use the interface as intended will not compile without manual type casting
Off-chain tooling and SDKs that generate bindings from the interface ABI will produce incorrect types
Future developers inheriting the codebase are likely to cargo-cult the incorrect type into downstream contracts

Proof of Concept

// A correctly-written receiver using the provided interface:

contract MyReceiver is IFlashLoanReceiver {

IThunderLoan private immutable i_thunderLoan;

function executeOperation(

address token, // token arrives as address

uint256 amount,

uint256 fee,

address,

bytes calldata

) external returns (bool) {

IERC20(token).approve(address(i_thunderLoan), amount + fee);

// @> Compile error: IThunderLoan.repay expects address,

// but ThunderLoan.repay expects IERC20

// These are different types in Solidity even if ABI-compatible

i_thunderLoan.repay(token, amount + fee); // type mismatch

return true;

}

// Compiler output:

// TypeError: Invalid type for argument in function call.

// Invalid implicit conversion from address to contract IERC20

Recommended Mitigation

Update IThunderLoan.sol to match the implementation signature exactly:

// @> Import IERC20 and use correct type

import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

interface IThunderLoan {

// @> Changed: address token → IERC20 token

function repay(IERC20 token, uint256 amount) external;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!