Thunder Loan

AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Submission Details
Severity: high
Valid

Storage-layout collision in the upgrade corrupts the flash-loan fee from 0.3% to 100%

Storage-layout collision in the upgrade corrupts the flash-loan fee from 0.3% to 100%

Severity: High · Impact: High · Likelihood: High

Description

  • The protocol is UUPS-upgradeable, and the upgrade from ThunderLoan to ThunderLoanUpgraded is in scope. For a proxy upgrade to be safe, the new implementation must preserve the exact storage-slot order of the old one — the proxy keeps its storage and only swaps the logic.

  • ThunderLoan declares s_feePrecision (a storage variable, = 1e18) immediately before s_flashLoanFee (= 3e15). ThunderLoanUpgraded deletes s_feePrecision and re-introduces the value as FEE_PRECISION, a constant — which occupies no storage slot. Every storage variable after it therefore shifts up by one slot, so the upgraded s_flashLoanFee now reads the slot that used to hold s_feePrecision (1e18).

// ThunderLoan.sol (before)
uint256 private s_feePrecision; // slot k+1 == 1e18
uint256 private s_flashLoanFee; // slot k+2 == 3e15 (0.3%)
// ThunderLoanUpgraded.sol (after)
@> uint256 private s_flashLoanFee; // slot k+1 -> now reads 1e18 !
@> uint256 public constant FEE_PRECISION = 1e18; // constant: occupies NO slot

Risk

Likelihood:

  • Occurs deterministically the moment the owner performs the in-scope upgrade — no attacker action is required, the corruption is baked into the layout change.

Impact:

  • Post-upgrade s_flashLoanFee reads 1e18, so getCalculatedFee charges ~100% of the borrowed value instead of 0.3% — flash loans become economically impossible and any borrower who proceeds is massively overcharged.

  • s_currentlyFlashLoaning's mapping base slot also shifts, corrupting the flash-loan reentrancy/repay guard.

Proof of Concept

Save the block below as test/PocH1.t.sol and run forge test --mt test_upgrade_corrupts_flash_loan_fee -vv. The fee jumps from 3e15 to 1e18 purely from the upgrade.

// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
import { Test, console } from "forge-std/Test.sol";
import { ThunderLoan } from "../src/protocol/ThunderLoan.sol";
import { ThunderLoanUpgraded } from "../src/upgradedProtocol/ThunderLoanUpgraded.sol";
import { MockPoolFactory } from "./mocks/MockPoolFactory.sol";
import { ERC1967Proxy } from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
contract PocH1 is Test {
ThunderLoan thunderLoan;
function setUp() public {
ThunderLoan impl = new ThunderLoan();
MockPoolFactory factory = new MockPoolFactory();
ERC1967Proxy proxy = new ERC1967Proxy(address(impl), "");
thunderLoan = ThunderLoan(address(proxy));
thunderLoan.initialize(address(factory));
}
function test_upgrade_corrupts_flash_loan_fee() public {
uint256 feeBefore = thunderLoan.getFee();
assertEq(feeBefore, 3e15); // 0.3%
ThunderLoanUpgraded upgraded = new ThunderLoanUpgraded();
thunderLoan.upgradeTo(address(upgraded)); // owner-authorized UUPS upgrade
uint256 feeAfter = ThunderLoanUpgraded(address(thunderLoan)).getFee();
console.log("fee before:", feeBefore); // 3000000000000000
console.log("fee after: ", feeAfter); // 1000000000000000000
assertEq(feeAfter, 1e18); // corrupted to old s_feePrecision
assertGt(feeAfter, feeBefore * 300); // >300x inflation
}
}

Recommended Mitigation

Preserve the original storage layout across the upgrade. Keep s_feePrecision as a storage variable in the same slot (do not convert it to a constant), or if it must become a constant, insert a placeholder/gap so s_flashLoanFee stays in its original slot.

// ThunderLoanUpgraded.sol
- uint256 private s_flashLoanFee;
- uint256 public constant FEE_PRECISION = 1e18;
+ uint256 private s_feePrecision; // keep the original slot occupied (unused placeholder)
+ uint256 private s_flashLoanFee; // stays in its original slot
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!