Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Flash Loan Callback Lacks Reentrancy Guard

fabriziogiannitrapa

Flash Loan Callback Lacks Reentrancy Guard

Description

executeOperation is the Aave flash loan callback and performs multiple external calls (repay, withdraw, 1inch swap, supply).
The 1inch swap uses a low-level call that can execute arbitrary code. There is no nonReentrant modifier on executeOperation.
While the contract has no obvious callback that would benefit an attacker, defense-in-depth is missing.

function executeOperation(

address _asset,

uint256 _amount,

uint256 _premium,

address _initiator,

bytes calldata _params

@> ) external returns (bool) {

require(msg.sender == address(aavePool), "Caller must be Aave Pool");

require(_initiator == address(this), "Initiator must be this contract");

// ...

} else {

return _executeUnwindOperation(_asset, _amount, _premium, _params);

}

Risk

Likelihood (low):

1inch swap paths would need to callback into this contract.
The contract has no receive() or useful callback; reentrancy paths are limited.

Impact (low):

If a callback path existed, reentrancy could lead to unexpected behavior or fund loss.

Severity (low):

Proof of Concept

1inch router executes swap; DEX in the path calls back to our contract. Without nonReentrant, that callback could re-enter before state is finalized. Current design has no useful callback, so exploit path is unclear.

Recommended Mitigation

+ import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol";

- contract Stratax is Initializable {

+ contract Stratax is Initializable, ReentrancyGuard {

function executeOperation(...)

+ nonReentrant

external returns (bool) {

Note: If the contract is upgradeable, ensure ReentrancyGuard storage is compatible with the upgrade pattern.

Updates

Lead Judging Commences

izuman Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

1inch API

Corrupted 1inch API data siphons tokens held by the Stratax contract

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!