`deposit()` calls `updateExchangeRate` with a phantom fee — every deposit inflates the AssetToken exchange rate without any actual fee being collected, redistributing value between LPs
Root + Impact
Description
-
AssetToken.updateExchangeRateis intended to be called when a flash-loan fee is collected: it ratchets the rate up so that AssetTokens become worth more underlying, distributing the fee to LPs pro-rata. The contract's own comment states: "should always go up, never down" — i.e. the function is specifically the fee-accrual lever. -
ThunderLoan.depositcallsupdateExchangeRate(calculatedFee)on every deposit, even though deposits do not pay any fee. The "fee" passed in is computed from the deposit amount itself viagetCalculatedFee, with no actual transfer of fee tokens. The result is that the exchange rate inflates on every deposit, even though the pool's real backing only increased byamount(notamount + fee). Subsequent LPs receive fewer AssetTokens than they should, and the first depositor's tokens are momentarily over-collateralized.
Risk
Likelihood:
-
Fires on every single
depositcall — the standard, expected path for liquidity providers. -
A single LP triggers it on themselves. Repeated deposits compound the inflation.
Impact: -
The exchange rate becomes detached from real backing. The pool's accounting shows AssetTokens worth more than the underlying held by the AssetToken vault.
-
When a later LP deposits, they receive fewer AssetTokens than the (now-inflated) rate suggests they should — value flows from later LPs to earlier ones with no fee-justification.
-
Eventually the gap between recorded exchange rate and real underlying coverage exceeds the available pool balance, and the last LP attempting to redeem will revert (
token.balanceOf(assetToken) < amountUnderlying). The protocol becomes silently insolvent.
Proof of Concept
Output: rate before deposit: 1.0e18, rate after deposit: 1.003e18. The rate increased by 0.3% on a single deposit, with zero fees actually entering the vault.
Recommended Mitigation
Remove the updateExchangeRate call from deposit. The exchange rate should only update when the protocol actually receives a fee — i.e. inside flashloan.
updateExchangeRate already exists in flashloan, where a real fee is collected; that is the only place it should run.
Lead Judging Commences
[H-02] Updating exchange rate on token deposit will inflate asset token's exchange rate faster than expected
# Summary Exchange rate for asset token is updated on deposit. This means users can deposit (which will increase exchange rate), and then immediately withdraw more underlying tokens than they deposited. # Details Per documentation: > Liquidity providers can deposit assets into ThunderLoan and be given AssetTokens in return. **These AssetTokens gain interest over time depending on how often people take out flash loans!** Asset tokens gain interest when people take out flash loans with the underlying tokens. In current version of ThunderLoan, exchange rate is also updated when user deposits underlying tokens. This does not match with documentation and will end up causing exchange rate to increase on deposit. This will allow anyone who deposits to immediately withdraw and get more tokens back than they deposited. Underlying of any asset token can be completely drained in this manner. # Filename `src/protocol/ThunderLoan.sol` # Permalinks https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/ThunderLoan.sol#L153-L154 # Impact Users can deposit and immediately withdraw more funds. Since exchange rate is increased on deposit, they will withdraw more funds then they deposited without any flash loans being taken at all. # Recommendations It is recommended to not update exchange rate on deposits and updated it only when flash loans are taken, as per documentation. ```diff function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) { AssetToken assetToken = s_tokenToAssetToken[token]; uint256 exchangeRate = assetToken.getExchangeRate(); uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate; emit Deposit(msg.sender, token, amount); assetToken.mint(msg.sender, mintAmount); - uint256 calculatedFee = getCalculatedFee(token, amount); - assetToken.updateExchangeRate(calculatedFee); token.safeTransferFrom(msg.sender, address(assetToken), amount); } ``` # POC ```solidity function testExchangeRateUpdatedOnDeposit() public setAllowedToken { tokenA.mint(liquidityProvider, AMOUNT); tokenA.mint(user, AMOUNT); // deposit some tokenA into ThunderLoan vm.startPrank(liquidityProvider); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); // another user also makes a deposit vm.startPrank(user); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); // after a deposit, asset token's exchange rate has aleady increased // this is only supposed to happen when users take flash loans with underlying assertGt(assetToken.getExchangeRate(), 1 * assetToken.EXCHANGE_RATE_PRECISION()); // now liquidityProvider withdraws and gets more back because exchange // rate is increased but no flash loans were taken out yet // repeatedly doing this could drain all underlying for any asset token vm.startPrank(liquidityProvider); thunderLoan.redeem(tokenA, assetToken.balanceOf(liquidityProvider)); vm.stopPrank(); assertGt(tokenA.balanceOf(liquidityProvider), AMOUNT); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.