Thunder Loan

AI First Flight #7

Beginner FriendlyFoundryDeFiOracle

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

No minimum deposit allows first depositor inflation attack

asanbay05

Root + Impact

ThunderLoan.deposit() has no minimum deposit amount. The first depositor can deposit 1 wei, then subsequent deposits round down to 0 assetTokens due to integer division with an inflated exchange rate. The first depositor captures all value.

Description

• Normal behavior: A minimum deposit should prevent the first depositor from gaming the exchange rate precision. Depositors should receive assetTokens proportional to their deposit. • Specific issue: With no minimum deposit, the first depositor deposits 1 wei and receives 1 assetToken. After exchange rate inflation, the second depositor's larger deposit rounds down to 0 assetToken due to integer division. The first depositor redeems and captures almost all value.

Risk

Likelihood: Medium — requires the first depositor to act maliciously, but this is a well-known attack pattern.

Impact: Medium — subsequent depositors lose their entire deposit. The first depositor steals all funds.

Proof of Concept

solidity

// First depositor deposits 1 wei

thunderLoan.deposit(token, 1);

// Gets 1 assetToken, exchangeRate = 1e18

// Flashloans inflate exchangeRate to 2e18

// Second depositor deposits 1000 tokens

// mintAmount = 1000 * 1e18 / 2e18 = 0 (integer division!)

thunderLoan.deposit(token, 1000);

// Gets 0 assetToken! 1000 tokens trapped.

// First depositor redeems 1 assetToken

// Gets: 1 * 2e18 / 1e18 = 2 underlying (all value)

Recommended Mitigation

solidity

uint256 private constant MINIMUM_DEPOSIT = 1000;

modifier revertIfBelowMinimum(uint256 amount) {

if (amount < MINIMUM_DEPOSIT) revert ThunderLoan__BelowMinimumDeposit();

}

function deposit(IERC20 token, uint256 amount) external revertIfBelowMinimum(amount) {

// ... existing logic ...

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!