Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Storage collision in ThunderLoanUpgraded causes s_flashLoanFee to read stale s_feePrecision value, setting fee to 100%

abderrahmanekouadri

When ThunderLoan is upgraded to ThunderLoanUpgraded, the variable s_feePrecision is removed without preserving the storage layout. Since EVM storage is position-based, s_flashLoanFee shifts from Slot 2 to Slot 1, where it reads the stale value of the old s_feePrecision

Root + Impact

// ThunderLoan.sol
uint256 private s_feePrecision; // @> Slot 1 - REMOVED in upgrade!
uint256 private s_flashLoanFee; // @> Slot 2

// ThunderLoanUpgraded.sol
uint256 private s_flashLoanFee; // @> Slot 1 - reads stale 1e18 (100%)!

Description

ThunderLoan protocol is a flash loan protocol that allows users to borrow tokens and return them with a fee in the same transaction. The fee is calculated using two storage variables: s_feePrecision (1e18) and s_flashLoanFee (3e15 = 0.3%). When the protocol owner upgrades ThunderLoan to ThunderLoanUpgraded using the UUPS proxy pattern, the new implementation removes s_feePrecision and replaces it with a constant FEE_PRECISION. This breaks the storage layout because EVM storage slots are position-based, causing s_flashLoanFee to shift from Slot 2 to Slot 1, where it reads the stale value left by the old s_feePrecision variable (1e18 = 100%).

// ThunderLoan.sol (original implementation)
// Slot 0: s\_tokenToAssetToken (mapping)
uint256 private s\_feePrecision; // @> Slot 1 = 1e18 (set in initialize())
uint256 private s\_flashLoanFee; // @> Slot 2 = 3e15 (set in initialize())
// ThunderLoanUpgraded.sol (new implementation)\
// Slot 0: s\_tokenToAssetToken (mapping)
uint256 private s\_flashLoanFee; // @> Slot 1 - COLLISION! reads stale 1e18
uint256 public constant FEE\_PRECISION = 1e18; // constant - no storage slot

Risk

Likelihood:

The protocol owner calls upgradeTo() to upgrade ThunderLoan to ThunderLoanUpgraded.
The collision happens automatically on every upgrade with no additional conditions needed.

Impact:

Every flash loan charges 100% fee instead of 0.3%, making the protocol completely unusable.
Liquidity providers lose yield and borrowers cannot use flash loans after upgrade.

Proof of Concept

To reproduce, add the following test to ThunderLoanTest.t.sol and add this import at the top:

import { ThunderLoanUpgraded } from "../../src/upgradedProtocol/ThunderLoanUpgraded.sol";

Then run:
forge test --match-test testStorageCollisionAfterUpgrade -vvvv

Expected result: Test passes with feeAfter = 1e18 (100%) confirming the bug.

function testStorageCollisionAfterUpgrade() public setAllowedToken hasDeposits {
// Before upgrade: fee is correct 0.3%
assertEq(thunderLoan.getFee(), 3e15);
// Perform upgrade
ThunderLoanUpgraded upgraded = new ThunderLoanUpgraded();
thunderLoan.upgradeTo(address(upgraded));
ThunderLoanUpgraded thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy));
// After upgrade: fee is 100% - BUG CONFIRMED
assertEq(thunderLoanUpgraded.getFee(), 1e18);
}

Recommended Mitigation

Add s_feePrecision as a placeholder variable in ThunderLoanUpgraded to preserve the original storage layout and prevent the slot collision.

- uint256 private s_flashLoanFee;
+ uint256 private s_feePrecision;
+ uint256 private s_flashLoanFee;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!