First Flight #3


First Flight #3: Thunder Loan

Become more familiar with DeFi and flashloans in CodeHawks' most challenging First Flight yet! Thunder Loan allows users to create flash loans and provides yield to it's liquidity providers!

Start Date Nov 1st, 2023 (12:00)
End Date Nov 8th, 2023 (12:00)
Time Left 0d/0h/0m

Thunder Loan


Contest Details

Contest Details

Prize Pool

  • High - 100xp

  • Medium - 20xp

  • Low - 2xp

  • Starts: Noon UTC Wednesday, Nov 01 2023

  • Ends: Noon UTC Wednesday, Nov 08 2023


  • nSLOC: 387
  • Complexity Score: 325

A flash loan protocol based on Aave and Compound.


The ⚡️ThunderLoan⚡️ protocol is meant to do the following:

  1. Give users a way to create flash loans
  2. Give liquidity providers a way to earn money off their capital

Liquidity providers can deposit assets into ThunderLoan and be given AssetTokens in return. These AssetTokens gain interest over time depending on how often people take out flash loans!

What is a flash loan?

A flash loan is a loan that exists for exactly 1 transaction. A user can borrow any amount of assets from the protocol as long as they pay it back in the same transaction. If they don't pay it back, the transaction reverts and the loan is cancelled.

Users additionally have to pay a small fee to the protocol depending on how much money they borrow.

We are planning to upgrade from the current ThunderLoan contract to the ThunderLoanUpgraded contract. Please include this upgrade in scope of a security review.

Getting Started


  • git
    • You'll know you did it right if you can run git --version and you see a response like git version x.x.x
  • foundry
    • You'll know you did it right if you can run forge --version and you see a response like forge 0.2.0 (816e00b 2023-03-16T00:05:26.396218Z)


git clone
cd 2023-11-Thunder-Loan

Optional Gitpod

If you can't or don't want to run and install locally, you can work with this repo in Gitpod. If you do this, you can skip the clone this repo part.

Open in Gitpod



forge test

Test Coverage

forge coverage

and for coverage based testing:

forge coverage --report debug

Audit Scope Details

  • Commit Hash: e8ce05f5530ca965165d41547b289604f873fdf6
  • In Scope:
├── interfaces
│   ├── IFlashLoanReceiver.sol
│   ├── IPoolFactory.sol
│   ├── ITSwapPool.sol
│   #── IThunderLoan.sol
├── protocol
│   ├── AssetToken.sol
│   ├── OracleUpgradeable.sol
│   #── ThunderLoan.sol
#── upgradedProtocol
    #── ThunderLoanUpgraded.sol


  • Solc Version: 0.8.20
  • Chains:
    • ETH
  • Tokens:
    • All tokens that follow the ERC20 Standard
    • Any ERC20 that does not is only included if it is specified below:
      • USDT: 0xdAC17F958D2ee523a2206206994597C13D831ec7
      • USDC: 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48
      • STA: 0xa7DE087329BFcda5639247F96140f9DAbe3DeED1
      • PAXG: 0x45804880De22913dAFE09f4980848ECE6EcbAf78
      • BNB: 0xB8c77482e45F1F44dE1745F52C74426C631bDD52
      • ZIL: 0x05f4a42e251f2d52b8ed15E9FEdAacFcEF1FAD27
      • KNC: 0xdd974D5C2e2928deA5F71b9825b8b646686BD200


  • Owner: The owner of the protocol who has the power to upgrade the implementation.
  • Liquidity Provider: A user who deposits assets into the protocol to earn interest.
  • User: A user who takes out flash loans from the protocol.

Known Issues