Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: medium
Likelihood: low

`Stratax::_executeOpenOperation` passes the wrong token to `_call1InchSwap`, breaking the `balanceOf` fallback path

Author Revealed upon completion

Stratax::_executeOpenOperation passes the wrong token to _call1InchSwap, breaking the balanceOf fallback path

Description

Stratax::_call1InchSwap accepts an _asset parameter described in the NatSpec as "the asset being swapped to" — i.e., the output token of the swap. This parameter is used in the balanceOf fallback when 1inch returns no data:

@> function _call1InchSwap(bytes memory _swapParams, address _asset, uint256 _minReturnAmount)
internal
returns (uint256 returnAmount)
{
(bool success, bytes memory result) = address(oneInchRouter).call(_swapParams);
require(success, "1inch swap failed");
if (result.length > 0) {
(returnAmount,) = abi.decode(result, (uint256, uint256));
} else {
@> returnAmount = IERC20(_asset).balanceOf(address(this));
}
require(returnAmount >= _minReturnAmount, "Insufficient return amount from swap");
return returnAmount;
}

In Stratax::_executeOpenOperation, flashParams.borrowToken is passed instead of _asset:

function _executeOpenOperation(address _asset, uint256 _amount, uint256 _premium, bytes calldata _params)
internal
returns (bool)
{
// ...
// Open: swap borrow token → collateral token (_asset). Output = _asset
// But the code passes flashParams.borrowToken (the INPUT token):
IERC20(flashParams.borrowToken).approve(address(oneInchRouter), flashParams.borrowAmount);
uint256 returnAmount =
@> _call1InchSwap(flashParams.oneInchSwapData, flashParams.borrowToken, flashParams.minReturnAmount);
// ...
}

The swap in the open flow converts borrow tokens (e.g., WETH) back to the collateral/flash loan token (e.g., USDC). The output is USDC (_asset), but flashParams.borrowToken (WETH) is passed as _asset to _call1InchSwap.

Risk

Likelihood:

  • The fallback path triggers when 1inch returns empty result data, which depends on the specific swap function called by the encoded calldata.

Impact:

  • When the fallback triggers during position creation, the transaction always reverts — the WETH balance post-swap is ~0 and cannot satisfy a USDC-denominated _minReturnAmount. This is a DoS on position creation for any 1inch swap route that returns empty data.

  • The unwind flow is unaffected since it correctly passes _asset.

Recommended Mitigation

Pass _asset (the flash loan / collateral token) instead of flashParams.borrowToken:

uint256 returnAmount =
- _call1InchSwap(flashParams.oneInchSwapData, flashParams.borrowToken, flashParams.minReturnAmount);
+ _call1InchSwap(flashParams.oneInchSwapData, _asset, flashParams.minReturnAmount);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!