Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: low

Likelihood: high

USDC State Variable Stored and Initialized but Never Used

Author Revealed upon completion

Root + Impact

Location: src/Stratax.sol:106

Description

The USDC address is declared as a state variable, set in initialize(), and publicly readable — but it is never referenced in any function logic within the contract.

// src/Stratax.sol:106

address public USDC; // @> declared, occupies storage slot

// src/Stratax.sol:183

USDC = _usdc; // @> set in initializer, never read again

// No other reference to USDC exists anywhere in Stratax.sol

Risk

Likelihood:

The variable is set on every deployment but has no effect — this is always the case in the current codebase

Impact:

Wastes one storage slot in the proxy's storage layout
Misleads integrators and auditors into assuming USDC has special protocol-level significance
A future upgrade adding USDC logic would assume this is set correctly, with no on-chain enforcement

Proof of Concept

// SPDX-License-Identifier: UNLICENSED

pragma solidity ^0.8.13;

// Static analysis — search for all USDC references in Stratax.sol:

// Line 106: address public USDC; ← declaration

// Line 183: USDC = _usdc; ← assignment in initialize()

// All other occurrences: NONE

// The variable is set, publicly readable, but never read by any internal logic.

// No function in the contract references `USDC` after line 183.

// It occupies storage slot 7 in the proxy without serving any purpose.

Recommended Mitigation

Remove the USDC state variable and its assignment in initialize(). If USDC is intended for a future feature, document the reservation explicitly with a NatSpec comment on the __gap array instead — the 50-slot gap already reserves space for future variables without naming them prematurely.

- address public USDC;

function initialize(..., address _usdc, ...) external initializer {

- USDC = _usdc;

}

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!