Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

ExchangeRate insolvency: promised underlying exceeds actual balance

asanbay05

Root + Impact

AssetToken.updateExchangeRate() increases the exchange rate based on a calculated fee without ensuring the actual underlying token balance has grown proportionally. Over time, the total promised underlying (exchangeRate * totalSupply) exceeds the actual underlying balance, making the protocol insolvent. Depositors cannot fully redeem their assetTokens.

Description

• Normal behavior: The exchange rate should only increase when the actual underlying token balance in the contract grows. Every assetToken must be fully backed by underlying tokens. • Specific issue: The formula newExchangeRate = oldRate * (supply + fee) / supply treats fee as if it represents actual underlying added. However, flashloan fees are calculated in WETH terms, not underlying terms, and the actual underlying added via flashloan repayment is not correctly reflected. The underlying balance does not grow when exchangeRate increases, but the promised underlying does.

Risk

Likelihood: High — this occurs naturally through normal protocol usage. Every deposit and flashloan call increases the exchange rate without a proportional underlying balance increase.

Impact: High — complete protocol insolvency. Late redeemers receive nothing. The gap between promised and actual underlying widens with each operation until the contract cannot fulfill redemptions.

Proof of Concept

solidity

// Initial state: exchangeRate = 1e18, AssetToken underlying = 0

// Step 1: Alice deposits 1000 tokens

// mintAmount = 1000 * 1e18 / 1e18 = 1000 assetToken

// fee = getCalculatedFee(1000) = ~3

// updateExchangeRate(3): newRate = 1e18 * (1000+3)/1000 = 1.003e18

// AssetToken underlying balance = 1000

// Step 2: Bob deposits 1000 tokens

// mintAmount = 1000 * 1e18 / 1.003e18 = 997 assetToken

// fee = 3, updateExchangeRate(3): newRate = 1.003e18 * (1997+3)/1997 ≈ 1.006e18

// AssetToken underlying balance = 2000

// Step 3: After 100 flashloans of 1000 each: exchangeRate ≈ 1.3e18

// Total promised underlying = 1997 * 1.3e18 / 1e18 ≈ 2596

// Actual underlying = 2000 + flashloan repayments (less than promised)

// Step 4: Alice redeems 1000 assetToken

// Gets: 1000 * 1.3e18 / 1e18 = 1300 underlying

// AssetToken balance: 2000 - 1300 = 700

// Step 5: Bob tries to redeem 997 assetToken

// Expects: 997 * 1.3e18 / 1e18 = 1296 underlying

// But AssetToken only has 700! → REVERT or partial payment

Recommended Mitigation

solidity

function updateExchangeRate() external onlyThunderLoan {

uint256 underlyingBalance = i_underlying.balanceOf(address(this));

uint256 supply = totalSupply();

if (supply == 0) return;

uint256 newRate = (underlyingBalance * EXCHANGE_RATE_PRECISION) / supply;

if (newRate <= s_exchangeRate) {

revert AssetToken__ExhangeRateCanOnlyIncrease(s_exchangeRate, newRate);

}

s_exchangeRate = newRate;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Updating exchange rate on token deposit will inflate asset token's exchange rate faster than expected

# Summary Exchange rate for asset token is updated on deposit. This means users can deposit (which will increase exchange rate), and then immediately withdraw more underlying tokens than they deposited. # Details Per documentation: > Liquidity providers can deposit assets into ThunderLoan and be given AssetTokens in return. **These AssetTokens gain interest over time depending on how often people take out flash loans!** Asset tokens gain interest when people take out flash loans with the underlying tokens. In current version of ThunderLoan, exchange rate is also updated when user deposits underlying tokens. This does not match with documentation and will end up causing exchange rate to increase on deposit. This will allow anyone who deposits to immediately withdraw and get more tokens back than they deposited. Underlying of any asset token can be completely drained in this manner. # Filename `src/protocol/ThunderLoan.sol` # Permalinks https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/ThunderLoan.sol#L153-L154 # Impact Users can deposit and immediately withdraw more funds. Since exchange rate is increased on deposit, they will withdraw more funds then they deposited without any flash loans being taken at all. # Recommendations It is recommended to not update exchange rate on deposits and updated it only when flash loans are taken, as per documentation. ```diff function deposit(IERC20 token, uint256 amount) external revertIfZero(amount) revertIfNotAllowedToken(token) { AssetToken assetToken = s_tokenToAssetToken[token]; uint256 exchangeRate = assetToken.getExchangeRate(); uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate; emit Deposit(msg.sender, token, amount); assetToken.mint(msg.sender, mintAmount); - uint256 calculatedFee = getCalculatedFee(token, amount); - assetToken.updateExchangeRate(calculatedFee); token.safeTransferFrom(msg.sender, address(assetToken), amount); } ``` # POC ```solidity function testExchangeRateUpdatedOnDeposit() public setAllowedToken { tokenA.mint(liquidityProvider, AMOUNT); tokenA.mint(user, AMOUNT); // deposit some tokenA into ThunderLoan vm.startPrank(liquidityProvider); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); // another user also makes a deposit vm.startPrank(user); tokenA.approve(address(thunderLoan), AMOUNT); thunderLoan.deposit(tokenA, AMOUNT); vm.stopPrank(); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); // after a deposit, asset token's exchange rate has aleady increased // this is only supposed to happen when users take flash loans with underlying assertGt(assetToken.getExchangeRate(), 1 * assetToken.EXCHANGE_RATE_PRECISION()); // now liquidityProvider withdraws and gets more back because exchange // rate is increased but no flash loans were taken out yet // repeatedly doing this could drain all underlying for any asset token vm.startPrank(liquidityProvider); thunderLoan.redeem(tokenA, assetToken.balanceOf(liquidityProvider)); vm.stopPrank(); assertGt(tokenA.balanceOf(liquidityProvider), AMOUNT); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!