The recoverTokens function is designed as an emergency recovery mechanism that allows the owner to retrieve tokens accidentally sent to the contract. It accepts any ERC20 token address and amount, transferring the specified amount to the owner.
The function does not distinguish between "stuck" tokens and tokens that are critical to active Aave positions. When the Stratax contract supplies collateral to Aave, it receives aTokens (e.g., aWETH, aUSDC) which are standard ERC20 tokens held by the contract. The owner can call recoverTokens with an aToken address to withdraw collateral from under active leveraged positions, destroying position health.
Likelihood:
The function is callable by the owner at any time with no restrictions on which tokens can be recovered. In a proxy-based deployment where ownership may be transferred or managed by a multisig, a single compromised signer or a governance attack could trigger this.
Even without malicious intent, a well-meaning owner could accidentally recover aTokens, not realizing they represent active Aave collateral.
Impact:
Recovering aTokens removes the Aave collateral backing leveraged positions. The position health factor drops below 1.0, triggering Aave liquidation and resulting in loss of the remaining collateral (liquidation penalty on Aave V3 is typically 5-10%).
The function does not check the return value of transfer, so silent failures would not revert but leave the contract in an inconsistent state.
This Foundry test demonstrates that the owner can call recoverTokens with the aWETH token address (Aave's interest-bearing WETH wrapper) and successfully transfer the contract's entire aToken balance to themselves. No allowlist, denylist, or health-factor check prevents the recovery of tokens that back active leveraged positions.
Introduce a protectedTokens mapping that the owner populates with aToken addresses when positions are opened. The recoverTokens function should reject any token in this set. Additionally, check the return value of transfer to avoid silent failures.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.