Thunder Loan

AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Submission Details
Severity: high
Valid

Storage collision on ThunderLoan → ThunderLoanUpgraded upgrade

Description

Normal behavior

Upgrading a UUPS proxy should preserve the storage layout or use explicit storage gaps. New variables must be appended after existing ones, and removed variables must never be replaced by incompatible state in the same slot.

Specific issue

ThunderLoan stores s_feePrecision (value 1e18) at storage slot 203. In ThunderLoanUpgraded, s_feePrecision is removed and the s_flashLoanFee storage variable is reinterpreted at the same layout position. After the upgrade, the old value 1e18 is read as the flash-loan fee, meaning every flash loan charges 100% of the borrowed amount instead of 0.3%.

// src/protocol/ThunderLoan.sol
// Storage layout before upgrade:
// slot 0: mapping s_tokenToAssetToken
// slot 1: uint256 s_feePrecision = 1e18
// slot 2: uint256 s_flashLoanFee = 3e15
// slot 3: mapping s_currentlyFlashLoaning
mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
uint256 private s_feePrecision;
uint256 private s_flashLoanFee;
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;
// src/upgradedProtocol/ThunderLoanUpgraded.sol
// Storage layout after upgrade — s_feePrecision removed, s_flashLoanFee shifted into slot 1
// slot 0: mapping s_tokenToAssetToken
// slot 1: uint256 s_flashLoanFee (reads old s_feePrecision value = 1e18)
// slot 2: mapping s_currentlyFlashLoaning
mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
uint256 private s_flashLoanFee; // now reads 1e18 => 100% fee
uint256 public constant FEE_PRECISION = 1e18;
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;
// ThunderLoanUpgraded.sol — getCalculatedFee now uses the corrupted 100% fee
function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) {
//slither-disable-next-line divide-before-multiply
uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / FEE_PRECISION;
//slither-disable-next-line divide-before-multiply
@> fee = (valueOfBorrowedToken * s_flashLoanFee) / FEE_PRECISION;
// s_flashLoanFee == 1e18, so fee == valueOfBorrowedToken
}

Risk

### Likelihood

* The upgrade from `ThunderLoan` to `ThunderLoanUpgraded` is explicitly in the scope and described in the README.

* Any future proxy upgrade to the shipped implementation will immediately corrupt the fee variable.

### Impact

* After the upgrade, every flash loan charges 100% of the borrowed value, making the protocol unusable for borrowers.

* The protocol loses its intended 0.3% fee model and cannot generate yield for liquidity providers.

Proof of Concept

The PoC deploys ThunderLoanUpgraded, performs the UUPS upgrade, and shows that getFee() returns 1e18 instead of 3e15. getCalculatedFee() then returns the full borrowed amount, proving a 100% fee.

// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
import { ThunderLoan } from "src/protocol/ThunderLoan.sol";
import { ThunderLoanUpgraded } from "src/upgradedProtocol/ThunderLoanUpgraded.sol";
import { UUPSUpgradeable } from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
contract UpgradeBugTest {
ThunderLoan thunderLoan;
IERC20 token;
address owner = address(0x1);
function _upgradeToUpgraded() internal returns (ThunderLoanUpgraded upgraded) {
ThunderLoanUpgraded upgradedImpl = new ThunderLoanUpgraded();
vm.prank(thunderLoan.owner());
UUPSUpgradeable(address(thunderLoan)).upgradeTo(address(upgradedImpl));
upgraded = ThunderLoanUpgraded(address(thunderLoan));
}
function test_H8_PoC_storageCollision_corruptsFlashLoanFee() public {
assertEq(thunderLoan.getFee(), 3e15, "pre-upgrade fee is 0.3%");
ThunderLoanUpgraded upgraded = _upgradeToUpgraded();
@> assertEq(upgraded.getFee(), 1e18, "storage collision: fee reads old s_feePrecision value");
assertNotEq(upgraded.getFee(), 3e15, "intended 0.3% fee corrupted after upgrade");
}
function test_H8_PoC_storageCollision_feeCalculationBroken() public {
ThunderLoanUpgraded upgraded = _upgradeToUpgraded();
uint256 fee = upgraded.getCalculatedFee(token, 100e18);
@> assertEq(fee, 100e18, "100% fee: corrupted s_flashLoanFee reads as 1e18");
}
}

Recommended Mitigation

The root cause is removing a storage variable without inserting a gap or preserving the slot. The upgraded contract must keep s_feePrecision in its original slot or add a storage gap to prevent variables from shifting.

// Option 1: Preserve s_feePrecision in ThunderLoanUpgraded
contract ThunderLoanUpgraded is Initializable, OwnableUpgradeable, UUPSUpgradeable, OracleUpgradeable {
mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
// Keep the original slot occupied
@> uint256 private s_feePrecision;
uint256 private s_flashLoanFee;
uint256 public constant FEE_PRECISION = 1e18;
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;
function initialize(address tswapAddress) external initializer {
__Ownable_init();
__UUPSUpgradeable_init();
__Oracle_init(tswapAddress);
s_feePrecision = 1e18;
s_flashLoanFee = 3e15;
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Storage Collision during upgrade

## Description The thunderloanupgrade.sol storage layout is not compatible with the storage layout of thunderloan.sol which will cause storage collision and mismatch of variable to different data. ## Vulnerability Details Thunderloan.sol at slot 1,2 and 3 holds s_feePrecision, s_flashLoanFee and s_currentlyFlashLoaning, respectively, but the ThunderLoanUpgraded at slot 1 and 2 holds s_flashLoanFee, s_currentlyFlashLoaning respectively. the s_feePrecision from the thunderloan.sol was changed to a constant variable which will no longer be assessed from the state variable. This will cause the location at which the upgraded version will be pointing to for some significant state variables like s_flashLoanFee to be wrong because s_flashLoanFee is now pointing to the slot of the s_feePrecision in the thunderloan.sol and when this fee is used to compute the fee for flashloan it will return a fee amount greater than the intention of the developer. s_currentlyFlashLoaning might not really be affected as it is back to default when a flashloan is completed but still to be noted that the value at that slot can be cleared to be on a safer side. ## Impact 1. Fee is miscalculated for flashloan 1. users pay same amount of what they borrowed as fee ## POC 2 ``` function testFlashLoanAfterUpgrade() public setAllowedToken hasDeposits { //upgrade thunderloan upgradeThunderloan(); uint256 amountToBorrow = AMOUNT * 10; console.log("amount flashloaned", amountToBorrow); uint256 calculatedFee = thunderLoan.getCalculatedFee( tokenA, amountToBorrow ); AssetToken assetToken = thunderLoan.getAssetFromToken(tokenA); vm.startPrank(user); tokenA.mint(address(mockFlashLoanReceiver), amountToBorrow); thunderLoan.flashloan( address(mockFlashLoanReceiver), tokenA, amountToBorrow, "" ); vm.stopPrank(); console.log("feepaid", calculatedFee); assertEq(amountToBorrow, calculatedFee); } ``` Add the code above to thunderloantest.t.sol and run `forge test --mt testFlashLoanAfterUpgrade -vv` to test for the second poc ## Recommendations The team should should make sure the the fee is pointing to the correct location as intended by the developer: a suggestion recommendation is for the team to get the feeValue from the previous implementation, clear the values that will not be needed again and after upgrade reset the fee back to its previous value from the implementation. ##POC for recommendation ``` // function upgradeThunderloanFixed() internal { thunderLoanUpgraded = new ThunderLoanUpgraded(); //getting the current fee; uint fee = thunderLoan.getFee(); // clear the fee as thunderLoan.updateFlashLoanFee(0); // upgrade to the new implementation thunderLoan.upgradeTo(address(thunderLoanUpgraded)); //wrapped the abi thunderLoanUpgraded = ThunderLoanUpgraded(address(proxy)); // set the fee back to the correct value thunderLoanUpgraded.updateFlashLoanFee(fee); } function testSlotValuesFixedfterUpgrade() public setAllowedToken { AssetToken asset = thunderLoan.getAssetFromToken(tokenA); uint precision = thunderLoan.getFeePrecision(); uint fee = thunderLoan.getFee(); bool isflanshloaning = thunderLoan.isCurrentlyFlashLoaning(tokenA); /// 4 slots before upgrade console.log("????SLOTS VALUE BEFORE UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(asset)); console.log("slot 1 for s_feePrecision =>", precision); console.log("slot 2 for s_flashLoanFee =>", fee); console.log("slot 3 for s_currentlyFlashLoaning =>", isflanshloaning); //upgrade function upgradeThunderloanFixed(); //// after upgrade they are only 3 valid slot left because precision is now set to constant AssetToken assetUpgrade = thunderLoan.getAssetFromToken(tokenA); uint feeUpgrade = thunderLoan.getFee(); bool isflanshloaningUpgrade = thunderLoan.isCurrentlyFlashLoaning( tokenA ); console.log("????SLOTS VALUE After UPGRADE????"); console.log("slot 0 for s_tokenToAssetToken =>", address(assetUpgrade)); console.log("slot 1 for s_flashLoanFee =>", feeUpgrade); console.log( "slot 2 for s_currentlyFlashLoaning =>", isflanshloaningUpgrade ); assertEq(address(asset), address(assetUpgrade)); //asserting precision value before upgrade to be what fee takes after upgrades assertEq(fee, feeUpgrade); // #POC assertEq(isflanshloaning, isflanshloaningUpgrade); } ``` Add the code above to thunderloantest.t.sol and run with `forge test --mt testSlotValuesFixedfterUpgrade -vv`. it can also be tested with `testFlashLoanAfterUpgrade function` and see the fee properly calculated for flashloan

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!