Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

initialize() parameter named tswapAddress but receives a pool factory address, causing developer confusion

cybervikink

Root + Impact

Description

The issue

The parameter is named tswapAddress, which suggests it is the address of a specific TSwap pool rather than the factory that manages all pools. OracleUpgradeable.__Oracle_init() correctly names the same value poolFactoryAddress, creating an inconsistency across the call chain.

// ThunderLoan.sol

// @> Parameter name implies a specific pool, not a factory

function initialize(address tswapAddress) external initializer {

__Ownable_init();

__UUPSUpgradeable_init();

// @> Passed to __Oracle_init which calls it poolFactoryAddress

__Oracle_init(tswapAddress);

s_feePrecision = 1e18;

s_flashLoanFee = 3e15;

}

// OracleUpgradeable.sol

// @> Correctly named poolFactoryAddress

function __Oracle_init(address poolFactoryAddress) internal onlyInitializing {

__Oracle_init_unchained(poolFactoryAddress);

}

Risk

Likelihood:

Any developer initialising the contract without reading OracleUpgradeable internals is likely to pass the wrong address type
Deployment scripts that auto-populate tswapAddress from config may point to a pool rather than the factory

Impact:

Silent misconfiguration — no revert, fees silently become zero for all tokens
Requires full redeployment to correct if caught late

Proof of Concept

// A reasonable but incorrect initialisation:

thunderLoan.initialize(address(specificUsdcWethPool));

// Developer passes a pool address, not the factory

// No revert — s_poolFactory is now set to the pool address

// IPoolFactory(poolAddress).getPool(token) → unexpected behaviour or address(0)

// All fees = 0 silently

Recommended Mitigation

Rename the parameter to match OracleUpgradeable:

// @> Renamed: tswapAddress → poolFactoryAddress

function initialize(address poolFactoryAddress) external initializer {

__Ownable_init();

__UUPSUpgradeable_init();

__Oracle_init(poolFactoryAddress);

s_feePrecision = 1e18;

s_flashLoanFee = 3e15;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!