Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Missing Oracle Staleness Validation Enables Systematic Leverage Manipulation

Author Revealed upon completion

Root + Impact

Description

The Stratax protocol integrates Chainlink price oracles to determine collateral valuations when users create leveraged positions through createLeveragedPosition(). Under normal operation, the StrataxOracle.getPrice() function should retrieve only fresh, recently-updated price data from Chainlink aggregators to ensure accurate collateral-to-debt ratios, preventing users from borrowing more than their collateral's current market value justifies
The getPrice() function fails to validate the updatedAt timestamp returned by Chainlink's latestRoundData(), accepting price data of unlimited staleness without any freshness checks [code:stratax]. This allows attackers to exploit periods of oracle lag—caused by network congestion, validator delays, or deprecated feeds—to create leveraged positions using artificially inflated collateral valuations. During the November 2025 Moonwell exploit, an identical vulnerability enabled an attacker to value 0.02 wrstETH as $5.8 million through a stale Chainlink feed, ultimately draining $1 million from the protocol. The Stratax implementation exhibits the same critical flaw: it only verifies answer > 0 while ignoring temporal validity, round completion status (answeredInRound), and staleness thresholds [code:poc]. Foundry testing demonstrates that the contract accepts price data over 7 days old, enabling attackers to gain 48% excess borrowing capacity during 30% price discrepancies between stale oracle prices and real market conditions

// StrataxOracle.sol:64-74

function getPrice(address _token) public view returns (uint256 price) {

address priceFeedAddress = priceFeeds[_token];

require(priceFeedAddress != address(0), "Price feed not set for token");

AggregatorV3Interface priceFeed = AggregatorV3Interface(priceFeedAddress);

// @> ROOT CAUSE: Function retrieves all 5 return values from Chainlink

(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =

priceFeed.latestRoundData();

// @> CRITICAL FLAW: Only validates answer > 0, ignores all temporal/validity checks

require(answer > 0, "Invalid price from oracle");

// @> MISSING: require(updatedAt > 0, "Round not complete");

// @> MISSING: require(answeredInRound >= roundId, "Stale round");

// @> MISSING: require(block.timestamp - updatedAt <= STALENESS_THRESHOLD, "Price too old");

// @> CONSEQUENCE: Returns potentially month-old price data as current

price = uint256(answer);

}

Risk

Likelihood:

** Predictable and Recurring Oracle Lag Events**

Chainlink price feed delays occur systematically during network congestion periods, creating exploitable windows with documented frequency. The ETH/USD feed experienced a 6-hour complete stoppage on March 12, 2020, during which gas prices spiked to 150-200 GWEI and transaction fees reached $25, preventing oracle updates while market prices moved significantly. More recently, Chainlink oracles exhibited a pricing glitch on May 29, 2025, causing a $500,000 liquidation event on Euler protocol when deUSD valuation became inflated due to VWAP calculation issues in thinly traded markets. These incidents demonstrate that oracle staleness is not a theoretical edge case but a recurring systemic pattern occurring during:
- Network congestion (high gas periods prevent oracle node updates)
- Market volatility events (rapid price movements outpace update frequency)
- Feed deprecation periods (Moonwell incident used deprecated rsETH/wrstETH feed)
- Low liquidity conditions (thin markets enable VWAP manipulation)
Zero Technical Barriers to Exploitation

The attack requires no special privileges, complex transaction sequences, or advanced technical capabilities. An attacker simply monitors the updatedAt timestamp from Chainlink's latestRoundData() against block.timestamp to detect staleness periods, then calls the standard createLeveragedPosition() function available to any user [code:stratax]. The November 2025 Moonwell exploit demonstrated this simplicity: the attacker initiated a single flash loan transaction, deposited 0.02 wrstETH as collateral which the stale oracle valued at $5.8 million, borrowed against that inflated valuation, and extracted $1 million (292 ETH) in one atomic operation. The Foundry PoC confirms the Stratax implementation accepts price data over 7 days old without any validation, meaning an attacker has an extended window of hours to days (not seconds) to detect and exploit staleness [code:poc]. Economic viability is guaranteed: the PoC demonstrates 48% profit margin ($4,800 gain on $10,000 collateral) during 30% price discrepancies, while attack costs are minimal (~$200 gas for position creation), resulting in a 24:1 profit-to-cost ratio

Impact:

The vulnerability enables attackers to create leveraged positions with artificially inflated collateral valuations, leaving the protocol holding toxic debt that exceeds the real market value of deposited assets. During a 30% price staleness scenario (stale price $2,000 vs. real price $1,400), an attacker depositing 10 ETH can borrow $16,000 USDC based on the $20,000 stale valuation, while the actual collateral value is only $14,000—creating $4,800 of unbacked debt that the protocol cannot recover through liquidation [code:poc]. This pattern scales catastrophically across multiple positions: if 100 users exploit a single oracle lag event with $10,000 positions each, the protocol accumulates $480,000 in unrecoverable bad debt from that single incident. The November 2025 Moonwell exploit validated this exact mechanism at scale, where a stale Chainlink feed enabled an attacker to value 0.02 wrstETH (worth ~$200) as $5.8 million, ultimately extracting $1 million in actual assets (292 ETH) and leaving the protocol insolvent. The Euler incident demonstrated complementary impact: a $500,000 liquidation event triggered by oracle pricing errors caused cascading liquidations and 9.93% token price collapse ($15.91 → $14.33 LINK) within hours. For Stratax, with positions potentially reaching $100K-1M individually and unlimited concurrent exploitation during oracle lag periods, a single major staleness event could result in $5-10M protocol insolvency, exhausting liquidity pools and rendering the protocol unable to honor legitimate user withdrawals
Legitimate users holding properly collateralized positions become involuntary counterparties to the attacker's toxic debt, suffering losses through two mechanisms: (1) Liquidation cascade when oracle prices update and the protocol desperately attempts to recover undercollateralized positions by liquidating healthy positions to cover bad debt, and (2) Liquidity pool depletion preventing legitimate users from withdrawing their own collateral when the protocol's asset reserves are drained by attackers exploiting stale prices. The Moonwell incident demonstrates the finality of these losses: despite the protocol's "guardians" identifying the deprecated oracle issue post-exploit, the stolen $1 million (292 ETH) was irrecoverable because the attacker had already withdrawn the borrowed assets. In Stratax's architecture, where all positions are held by a single contract instance and liquidity is pooled, a successful exploit directly reduces the collateral available for all other users [code:stratax]. During the March 2020 Chainlink ETH/USD feed stoppage, the 6-hour delay created exploitable windows across multiple DeFi protocols simultaneously (Synthetix, Aave, Set Protocol), demonstrating that oracle lag events affect all users system-wide, not just exploited positions. For individual Stratax users, this means: (1) inability to withdraw deposited collateral when liquidity pools are drained ($10K-100K loss per user), (2) forced liquidation of healthy positions at unfavorable prices to cover protocol deficits (10-30% loss on position value), and (3) total loss of protocol trustworthiness causing immediate withdrawal runs that prevent recovery even if the vulnerability is subsequently patched.

Proof of Concept

// SPDX-License-Identifier: UNLICENSED

pragma solidity ^0.8.13;

import {Test, console} from "forge-std/Test.sol";

import {StrataxOracle} from "../../src/StrataxOracle.sol";

import {AggregatorV3Interface} from "../../src/interfaces/external/AggregatorV3Interface.sol";

/// @notice Mock Chainlink aggregator that allows controlling the updatedAt timestamp

contract MockChainlinkFeed {

int256 public price;

uint256 public lastUpdatedAt;

uint80 public currentRoundId;

constructor(int256 _price) {

price = _price;

lastUpdatedAt = block.timestamp;

currentRoundId = 1;

}

function decimals() external pure returns (uint8) {

return 8;

}

function description() external pure returns (string memory) {

return "MOCK / USD";

}

function version() external pure returns (uint256) {

return 1;

}

/// @notice Simulate a price update at the current timestamp

function updatePrice(int256 _newPrice) external {

price = _newPrice;

lastUpdatedAt = block.timestamp;

currentRoundId++;

}

/// @notice Simulate a stale feed — price doesn't change, updatedAt stays old

function latestRoundData()

external

view

returns (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound)

{

return (currentRoundId, price, lastUpdatedAt, lastUpdatedAt, currentRoundId);

}

function getRoundData(uint80)

external

view

returns (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound)

{

return (currentRoundId, price, lastUpdatedAt, lastUpdatedAt, currentRoundId);

}

contract OracleStalenessPoC is Test {

StrataxOracle public oracle;

MockChainlinkFeed public wethFeed;

MockChainlinkFeed public usdcFeed;

address constant TOKEN_WETH = address(0x1111);

address constant TOKEN_USDC = address(0x2222);

// Realistic prices (8 decimals)

int256 constant WETH_INITIAL_PRICE = 2000e8; // $2,000

int256 constant USDC_INITIAL_PRICE = 1e8; // $1.00

function setUp() public {

// Deploy mock feeds with initial prices

wethFeed = new MockChainlinkFeed(WETH_INITIAL_PRICE);

usdcFeed = new MockChainlinkFeed(USDC_INITIAL_PRICE);

// Deploy oracle and register feeds

oracle = new StrataxOracle();

oracle.setPriceFeed(TOKEN_WETH, address(wethFeed));

oracle.setPriceFeed(TOKEN_USDC, address(usdcFeed));

}

/// @notice Proves getPrice() returns a stale price after significant time has passed

/// without any staleness validation

function test_StalePrice_AcceptedWithoutValidation() public {

// 1. Get initial price — should be $2,000

uint256 freshPrice = oracle.getPrice(TOKEN_WETH);

assertEq(freshPrice, uint256(WETH_INITIAL_PRICE), "Initial price should be $2,000");

// 2. Warp forward 24 hours — far beyond any reasonable heartbeat

// Chainlink ETH/USD heartbeat is 3600s (1 hour)

vm.warp(block.timestamp + 24 hours);

// 3. Oracle still returns the same stale price without reverting

uint256 stalePrice = oracle.getPrice(TOKEN_WETH);

assertEq(stalePrice, uint256(WETH_INITIAL_PRICE), "Oracle returns stale price without error");

// 4. Verify via getRoundData that the timestamp is indeed stale

(, , , uint256 updatedAt, ) = oracle.getRoundData(TOKEN_WETH);

uint256 staleness = block.timestamp - updatedAt;

assertEq(staleness, 24 hours, "Price data is 24 hours stale");

console.log("--- Staleness PoC ---");

console.log("Current block.timestamp:", block.timestamp);

console.log("Price feed updatedAt: ", updatedAt);

console.log("Staleness (seconds): ", staleness);

console.log("Returned price (stale): ", stalePrice);

console.log("Oracle accepted stale price without any revert");

}

/// @notice Demonstrates the economic exploit: attacker uses stale price to

/// get favorable leverage parameters after a real-world price crash

function test_ExploitStalePrice_FavorableLeverageCalculation() public {

// --- Phase 1: Price feed is fresh at $2,000 ---

uint256 initialPrice = oracle.getPrice(TOKEN_WETH);

assertEq(initialPrice, 2000e8);

// --- Phase 2: Simulate Chainlink feed going stale ---

// Real-world: network congestion, validator issues, etc.

// The feed stops updating but ETH's real market price crashes to $1,400 (30% drop)

vm.warp(block.timestamp + 6 hours);

// The oracle STILL returns $2,000 because there's no staleness check

uint256 staleOraclePrice = oracle.getPrice(TOKEN_WETH);

uint256 realMarketPrice = 1400e8; // $1,400 — real price after crash

console.log("--- Exploit Scenario ---");

console.log("Oracle stale price: $", staleOraclePrice / 1e8);

console.log("Real market price: $", realMarketPrice / 1e8);

console.log("Price discrepancy: ", ((staleOraclePrice - realMarketPrice) * 100) / staleOraclePrice, "%");

// --- Phase 3: Show the economic impact on leverage calculations ---

// Attacker deposits 10 WETH as collateral

uint256 collateralAmount = 10e18; // 10 WETH

// Value using stale price (what oracle reports): 10 * $2,000 = $20,000

uint256 collateralValueStale = (collateralAmount * staleOraclePrice) / 1e18;

// Value using real price: 10 * $1,400 = $14,000

uint256 collateralValueReal = (collateralAmount * realMarketPrice) / 1e18;

console.log("Collateral value (stale oracle): $", collateralValueStale / 1e8);

console.log("Collateral value (real market): $", collateralValueReal / 1e8);

// At 80% LTV, attacker can borrow:

uint256 ltvBps = 8000; // 80%

uint256 borrowableStale = (collateralValueStale * ltvBps) / 10000;

uint256 borrowableReal = (collateralValueReal * ltvBps) / 10000;

console.log("Borrowable (stale, 80% LTV): $", borrowableStale / 1e8);

console.log("Borrowable (real, 80% LTV): $", borrowableReal / 1e8);

// The attacker borrows $4,800 MORE than they should be able to

uint256 excessBorrow = borrowableStale - borrowableReal;

console.log("Excess borrow (attacker profit window): $", excessBorrow / 1e8);

// Key assertions proving the exploit

assertEq(staleOraclePrice, 2000e8, "Oracle returns stale $2,000");

assertGt(staleOraclePrice, realMarketPrice, "Stale price > real market price");

assertGt(borrowableStale, borrowableReal, "Stale price inflates borrowing capacity");

assertEq(excessBorrow, 4800e8, "Attacker gains $4,800 excess borrow capacity");

}

/// @notice Shows staleness is not checked even after extreme durations (7 days)

function test_ExtremeStalenessDuration_StillAccepted() public {

// Warp 7 days — absurdly stale for any DeFi use case

vm.warp(block.timestamp + 7 days);

// Oracle happily returns the week-old price

uint256 price = oracle.getPrice(TOKEN_WETH);

assertEq(price, uint256(WETH_INITIAL_PRICE));

(, , , uint256 updatedAt, ) = oracle.getRoundData(TOKEN_WETH);

uint256 staleness = block.timestamp - updatedAt;

console.log("Staleness: 7 days =", staleness, "seconds");

console.log("Price still accepted: $", price / 1e8);

assertEq(staleness, 7 days, "7-day stale price accepted without revert");

}

/// @notice Validates that answeredInRound < roundId scenario is also unhandled

/// This is another common oracle manipulation indicator

function test_AnsweredInRound_NotValidated() public {

// getRoundData returns answeredInRound == currentRoundId by default.

// In a real scenario, answeredInRound < roundId indicates the price

// was carried over from a previous round (stale).

// The oracle doesn't check this condition either.

(uint80 roundId, , , , uint80 answeredInRound) = oracle.getRoundData(TOKEN_WETH);

// Even if we could manipulate answeredInRound < roundId,

// getPrice() discards all return values except `answer`

// Proving the vulnerability: getPrice only checks answer > 0

uint256 price = oracle.getPrice(TOKEN_WETH);

assertGt(price, 0, "Price returned without round validation");

console.log("roundId: ", roundId);

console.log("answeredInRound:", answeredInRound);

console.log("getPrice() ignores both -- only checks answer > 0");

}

POC RESULT:

Ran 4 tests for test/unit/OracleStalenessPoC.t.sol:OracleStalenessPoC

[PASS] test_AnsweredInRound_NotValidated() (gas: 34167)

Logs:

roundId: 1

answeredInRound: 1

getPrice() ignores both -- only checks answer > 0

[PASS] test_ExploitStalePrice_FavorableLeverageCalculation() (gas: 47233)

Logs:

--- Exploit Scenario ---

Oracle stale price: $ 2000

Real market price: $ 1400

Price discrepancy: 30 %

Collateral value (stale oracle): $ 20000

Collateral value (real market): $ 14000

Borrowable (stale, 80% LTV): $ 16000

Borrowable (real, 80% LTV): $ 11200

Excess borrow (attacker profit window): $ 4800

[PASS] test_ExtremeStalenessDuration_StillAccepted() (gas: 35361)

Logs:

Staleness: 7 days = 604800 seconds

Price still accepted: $ 2000

[PASS] test_StalePrice_AcceptedWithoutValidation() (gas: 44273)

Logs:

--- Staleness PoC ---

Current block.timestamp: 86401

Price feed updatedAt: 1

Staleness (seconds): 86400

Returned price (stale): 200000000000

Oracle accepted stale price without any revert

Suite result: ok. 4 passed; 0 failed; 0 skipped; finished in 3.23ms (3.53ms CPU time)

Ran 1 test suite in 42.03ms (3.23ms CPU time): 4 tests passed, 0 failed, 0 skipped (4 total tests)

Recommended Mitigation

Stratax.sol - createLeveragedPosition Ensure all functions using oracle.getPrice() handle potential reverts:

function test_RevertOn_StalePrice_1Hour() public {

// Set price at T=0

mockOracle.setLatestRoundData(1, 2000e8, 0, block.timestamp, 1);

// Advance time 3601 seconds

vm.warp(block.timestamp + 3601);

// Should revert

vm.expectRevert("Price data is stale");

strataxOracle.getPrice(address(token));

}

function test_RevertOn_StaleRound() public {

// answeredInRound < roundId indicates stale data

mockOracle.setLatestRoundData(

5, // roundId

2000e8, // answer

0, // startedAt

block.timestamp,

3 // answeredInRound (< roundId)

);

vm.expectRevert("Stale round");

strataxOracle.getPrice(address(token));

}

function test_RevertOn_IncompleteRound() public {

mockOracle.setLatestRoundData(

2000e8,

0, // updatedAt = 0 indicates incomplete round

);

vm.expectRevert("Round not complete");

strataxOracle.getPrice(address(token));

}

function test_RevertOn_ExcessivePriceDeviation() public {

// Set baseline price

mockOracle.setLatestRoundData(1, 2000e8, 0, block.timestamp, 1);

strataxOracle.getPrice(address(token)); // Establish last valid price

// Update with 25% price jump (exceeds 20% threshold)

mockOracle.setLatestRoundData(2, 2500e8, 0, block.timestamp, 2);

vm.expectRevert("Price deviation too large");

strataxOracle.getPrice(address(token));

}

StrataxOracle.sol - Add Comprehensive Oracle Validation

function getPrice(address _token) public view returns (uint256 price) {

address priceFeedAddress = priceFeeds[_token];

require(priceFeedAddress != address(0), "Price feed not set for token");

AggregatorV3Interface priceFeed = AggregatorV3Interface(priceFeedAddress);

- (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =

- priceFeed.latestRoundData();

+ (

+ uint80 roundId,

+ int256 answer,

+ ,

+ uint256 updatedAt,

+ uint80 answeredInRound

+ ) = priceFeed.latestRoundData();

- require(answer > 0, "Invalid price from oracle");

+ // Validate price is positive

+ require(answer > 0, "Invalid price from oracle");

+ // Validate round was completed

+ require(updatedAt > 0, "Round not complete");

+ // Validate answer is from latest round (not stale round data)

+ require(answeredInRound >= roundId, "Stale round");

+ // Validate price freshness (1 hour maximum staleness)

+ require(block.timestamp - updatedAt <= 3600, "Price data is stale");

price = uint256(answer);

}

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!