Incorrect token address passed to _call1InchSwap in _executeOpenOperation causes wrong balance check in fallback path
Root + Impact
Wrong token passed to swap balance fallback causes incorrect return amount calculation, potentially allowing undercollateralized flash loan repayments or causing valid transactions to revert.
Description
During the open position flow, _executeOpenOperation swaps borrowed tokens (e.g., USDT) back to the collateral/flash loan token (e.g., WETH) via 1inch. The _call1InchSwap function takes an _asset parameter that serves as the fallback token to check balance of when the 1inch router returns no data (result.length == 0).
At Stratax.sol, the function passes flashParams.borrowToken instead of _asset (the collateral token) Inside _call1InchSwap, when the 1inch router returns empty data, the fallback checks the balance of the wrong token.The swap converts borrowToken → collateralToken, so returnAmount should reflect the collateral token received. Instead, it reads the borrow token balance (which should be 0 after a successful swap), causing returnAmount to be wrong. Compare with _executeUnwindOperation at Stratax.sol which correctly passes _asset:
uint256 returnAmount = _call1InchSwap(unwindParams.oneInchSwapData, _asset, unwindParams.minReturnAmount);
Risk
Likelihood:
The fallback path triggers when the 1inch aggregation router returns empty result data, which occurs with certain swap routing implementations or during router upgrades that change return data format
The contract integrates via raw low-level .call() with no function selector validation, making it susceptible to interacting with router versions or routes that don't return data
Impact:
returnAmount reads the borrow token balance (expected to be 0 after swap) instead of the actual collateral received, causing require(returnAmount >= _minReturnAmount) to revert — blocking position creation even when the swap succeeded and produced sufficient output
If there happens to be a pre-existing borrow token balance on the contract, returnAmount could be inflated or deflated versus the actual swap output, passing the slippage check with a value that doesn't represent what was actually received
Proof of Concept
Recommended Mitigation
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.