Stratax Contracts

First Flight #57
Beginner FriendlyDeFi
100 EXP
Submission Details
Impact: low
Likelihood: low

Incorrect token address passed to _call1InchSwap in _executeOpenOperation causes wrong balance check in fallback path

Author Revealed upon completion

Root + Impact

Wrong token passed to swap balance fallback causes incorrect return amount calculation, potentially allowing undercollateralized flash loan repayments or causing valid transactions to revert.

Description

During the open position flow, _executeOpenOperation swaps borrowed tokens (e.g., USDT) back to the collateral/flash loan token (e.g., WETH) via 1inch. The _call1InchSwap function takes an _asset parameter that serves as the fallback token to check balance of when the 1inch router returns no data (result.length == 0).

At Stratax.sol, the function passes flashParams.borrowToken instead of _asset (the collateral token) Inside _call1InchSwap, when the 1inch router returns empty data, the fallback checks the balance of the wrong token.The swap converts borrowToken → collateralToken, so returnAmount should reflect the collateral token received. Instead, it reads the borrow token balance (which should be 0 after a successful swap), causing returnAmount to be wrong. Compare with _executeUnwindOperation at Stratax.sol which correctly passes _asset:

uint256 returnAmount = _call1InchSwap(unwindParams.oneInchSwapData, _asset, unwindParams.minReturnAmount);

// Root cause in the codebase with @> marks to highlight the relevant section
uint256 returnAmount =
_call1InchSwap(flashParams.oneInchSwapData, flashParams.borrowToken, flashParams.minReturnAmount);

Risk

Likelihood:

The fallback path triggers when the 1inch aggregation router returns empty result data, which occurs with certain swap routing implementations or during router upgrades that change return data format
The contract integrates via raw low-level .call() with no function selector validation, making it susceptible to interacting with router versions or routes that don't return data

Impact:

returnAmount reads the borrow token balance (expected to be 0 after swap) instead of the actual collateral received, causing require(returnAmount >= _minReturnAmount) to revert — blocking position creation even when the swap succeeded and produced sufficient output
If there happens to be a pre-existing borrow token balance on the contract, returnAmount could be inflated or deflated versus the actual swap output, passing the slippage check with a value that doesn't represent what was actually received

Proof of Concept

Recommended Mitigation

+ add this code
Pass _asset (the collateral/flash loan token) instead of flashParams.borrowToken:
// Execute swap via 1inch
uint256 returnAmount =
+ _call1InchSwap(flashParams.oneInchSwapData, _asset, flashParams.minReturnAmount);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!