Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Incorrect Collateral Calculation During Unwind Operation

Author Revealed upon completion
// Current calculation in _executeUnwindOperation
uint256 collateralToWithdraw = (
_amount * debtTokenPrice * (10 ** IERC20(unwindParams.collateralToken).decimals()) * LTV_PRECISION
) / (collateralTokenPrice * (10 ** IERC20(_asset).decimals()) * liqThreshold);
// @> liqThreshold should be ltv

Description

Normal behavior: The contract should calculate the exact amount of collateral to withdraw to repay the debt plus flash loan when unwinding a leveraged position.
Issue: The contract currently uses liquidationThreshold instead of the correct LTV for calculating how much collateral to withdraw. This results in underestimation of collateral, causing insufficient repayment for the flash loan.// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • Reason 2

Impact:

  • Impact 1

  • Impact 2

Proof of Concept

Open a leveraged position using Aave.
Attempt to unwind using the contract.
Observe that the swap returns less than required to cover the flash loan.

Recommended Mitigation

- uint256 collateralToWithdraw = (
- _amount * debtTokenPrice * (10 ** IERC20(unwindParams.collateralToken).decimals()) * LTV_PRECISION
- ) / (collateralTokenPrice * (10 ** IERC20(_asset).decimals()) * liqThreshold);
+ (, uint256 ltv,,,,,,,,) = aaveDataProvider.getReserveConfigurationData(unwindParams.collateralToken);
+ uint256 collateralToWithdraw = (
+ _amount * debtTokenPrice * (10 ** IERC20(unwindParams.collateralToken).decimals()) * LTV_PRECISION
+ ) / (collateralTokenPrice * (10 ** IERC20(_asset).decimals()) * ltv);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!