Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

updateFlashLoanFee changes a protocol-critical parameter without emitting an event

sub99

`updateFlashLoanFee` changes a protocol-critical parameter without emitting an event

Description

setAllowedToken emits AllowedTokenSet, but updateFlashLoanFee mutates s_flashLoanFee — a parameter that directly affects every flash-loan cost — without emitting any event.

// ThunderLoan.sol:253-258

function updateFlashLoanFee(uint256 newFee) external onlyOwner {

if (newFee > s_feePrecision) {

revert ThunderLoan__BadNewFee();

}

s_flashLoanFee = newFee; // @> state change with no event emitted

}

Risk

Likelihood:
Every fee update goes unlogged; this is guaranteed whenever the owner adjusts the fee.

Impact:
Off-chain monitoring, indexers, and integrators cannot reliably detect fee changes, and there is no on-chain audit trail. This is an informational/low-severity transparency gap rather than a fund-loss bug.

Proof of Concept

Record logs around a fee update and assert none are emitted.

function test_updateFeeEmitsNoEvent() public {

vm.recordLogs();

thunderLoan.updateFlashLoanFee(2e15);

Vm.Log[] memory logs = vm.getRecordedLogs();

assertEq(logs.length, 0); // no event emitted on fee change

}

Recommended Mitigation

Add and emit a dedicated event so fee changes are observable.

+ event FlashLoanFeeUpdated(uint256 oldFee, uint256 newFee);

function updateFlashLoanFee(uint256 newFee) external onlyOwner {

if (newFee > s_feePrecision) {

revert ThunderLoan__BadNewFee();

}

+ emit FlashLoanFeeUpdated(s_flashLoanFee, newFee);

s_flashLoanFee = newFee;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] updateFlashLoanFee() missing event

## Description `ThunderLoan::updateFlashLoanFee()` and `ThunderLoanUpgraded::updateFlashLoanFee()` does not emit an event, so it is difficult to track changes in the value `s_flashLoanFee` off-chain. ## Vulnerability Details ```solidity function updateFlashLoanFee(uint256 newFee) external onlyOwner { if (newFee > FEE_PRECISION) { revert ThunderLoan__BadNewFee(); } @> s_flashLoanFee = newFee; } ``` ## Impact In Ethereum, events are used to facilitate communication between smart contracts and their user interfaces or other off-chain services. When an event is emitted, it gets logged in the transaction receipt, and these logs can be monitored and reacted to by off-chain services or user interfaces. Without a `FeeUpdated` event, any off-chain service or user interface that needs to know the current `s_flashLoanFee` would have to actively query the contract state to get the current value. This is less efficient than simply listening for the `FeeUpdated` event, and it can lead to delays in detecting changes to the `s_flashLoanFee`. The impact of this could be significant because the `s_flashLoanFee` is used to calculate the cost of the flash loan. If the fee changes and an off-chain service or user is not aware of the change because they didn't query the contract state at the right time, they could end up paying a different fee than they expected. ## Recommendations Emit an event for critical parameter changes. ```diff + event FeeUpdated(uint256 indexed newFee); function updateFlashLoanFee(uint256 newFee) external onlyOwner { if (newFee > s_feePrecision) { revert ThunderLoan__BadNewFee(); } s_flashLoanFee = newFee; + emit FeeUpdated(s_flashLoanFee); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!