Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: high

IStratax unwindPosition signature drift causes integrator calls to fail against deployed contract

Author Revealed upon completion

Description

Normal behavior: public interface and implementation should expose matching ABI for all callable methods.
Issue: IStratax.unwindPosition has a different parameter list than Stratax.unwindPosition, so interface-generated calldata does not match the implementation function selector.

// src/interfaces/internal/IStratax.sol

@> function unwindPosition(

@> address _collateralToken,

@> address _debtToken,

@> uint256 _debtAmount,

@> bytes calldata _oneInchSwapData,

@> uint256 _minReturnAmount

@> ) external;

// src/Stratax.sol

@> function unwindPosition(

@> address _collateralToken,

@> uint256 _collateralToWithdraw,

@> address _debtToken,

@> uint256 _debtAmount,

@> bytes calldata _oneInchSwapData,

@> uint256 _minReturnAmount

@> ) external onlyOwner {

Risk

Likelihood:

Reason 1 // Integrators rely on IStratax for typed calls and selector generation.
Reason 2 // Signature mismatch is deterministic and occurs on every such call.

Impact:

Impact 1 // Unwind calls can revert/fail at ABI boundary.
Impact 2 // Operational inability to execute safety-critical unwind from integration stack.

Proof of Concept

This PoC ABI-encodes the unwind call using IStratax and sends it directly to the deployed Stratax contract. The call fails because the selector/argument layout does not match the implementation signature, proving interface drift is exploitable as an integration failure.

// test/poc/StrataxVulnerabilities.t.sol

function testPoC_InterfaceDrift_UnwindSelectorFromInterfaceFailsAgainstImplementation() public {

bytes memory payload = abi.encodeCall(

IStratax.unwindPosition,

(address(collateralToken), address(debtToken), 1e18, bytes(""), 0)

);

vm.prank(owner);

(bool ok,) = address(stratax).call(payload);

assertTrue(!ok, "call should fail due to ABI drift");

}

Recommended Mitigation

The mitigation is straightforward: keep one canonical ABI surface and enforce it in CI with selector-conformance tests. This prevents silent drift between interfaces used by integrators and actual deployed contracts.

- Keep divergent signatures between IStratax and Stratax implementation.

+ Update IStratax to exactly mirror Stratax signatures.

+ Add ABI conformance tests asserting selector equality for all public/external functions.

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!