Stratax Contracts

First Flight #57
Beginner FriendlyDeFi
100 EXP
Submission Details
Impact: medium
Likelihood: medium

OnlyOwner can Get missing fund even non owner missing and send to the contract

Author Revealed upon completion

Root + Impact

Description

if non user mistaken and send for to the contract he cant withdraw it due it function ristricted to only owner

https://github.com/CodeHawks-Contests/2026-02-stratax-contracts/blob/f6525334ddeb7910733432a992daecb0a8041430/src/Stratax.sol#L282-L284

function recoverTokens(address _token, uint256 _amount) external onlyOwner {
IERC20(_token).transfer(owner, _amount);
}

Risk

Likelihood:

user may loose his fund for ever

Proof of Concept


add this to contract

function test_onlyOwnerCanGetLooseFund() public {
vm.startPrank(address(0x123));
vm.expectRevert(); // it will revert due to address(0x123) is not owner
stratax.recoverTokens(USDC, 10);
vm.stopPrank();
}

Recommended Mitigation


edit the funtion token to go to the sender, when sender accendtly send token should hurry and click it

- function recoverTokens(address _token, uint256 _amount) external onlyOwner {
- IERC20(_token).transfer(owner, _amount);
}
+ function recoverTokens(address _token, uint256 _amount) external {
+ IERC20(_token).transfer(msg.sender, _amount);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!