Stratax Contracts

First Flight #57
Beginner FriendlyDeFi
100 EXP
Submission Details
Impact: high
Likelihood: medium

Findings of L8

Author Revealed upon completion

FINDING #1: Oracle Price Manipulation via Flash Loans

ROOT + IMPACT

Description: The protocol reads Chainlink oracle prices during flash loan execution to calculate position health and leverage ratios. An attacker can manipulate these prices via large swaps on 1inch within the same transaction, causing incorrect valuations.

Code:

// In Stratax.sol, executeOperation (flash loan callback)
function executeOperation(...) external {
uint256 price = strataxOracle.getPrice(collateralToken); // @> Price read during flash loan
// Calculate position parameters using potentially manipulated price
uint256 collateralValue = collateralAmount * price;
// Execute swaps on 1inch that could manipulate the price further
oneInch.swap(...);
}

RISK

Likelihood:

  • Flash loans are atomic - attacker can manipulate price in same transaction

  • 1inch integration allows large swaps that move market prices

  • Chainlink oracles update based on market data that includes manipulated trades

  • No time-weighted average or circuit breaker protection implemented

Impact:

  • Attacker creates under-collateralized positions using inflated collateral values

  • Protocol left with bad debt when positions liquidate at real prices

  • Historical precedent: Mango Markets ($110M), Cream Finance ($130M) used identical attack pattern

PROOF OF CONCEPT

1. Attacker flash loans 10M USDC
2. Swaps 5M USDC → ETH on 1inch (drives ETH price up temporarily)
3. Chainlink oracle reflects elevated ETH price
4. Attacker calls createLeveragedPosition with 1 ETH at inflated price
5. Protocol calculates collateral value at inflated price (e.g., $5000 instead of $2000)
6. Attacker borrows maximum against false collateral value
7. Flash loan repaid with borrowed funds
8. Price returns to normal
9. Attacker's position shows profit, protocol has bad debt

RECOMMENDED MITIGATION

// Add TWAP and circuit breaker
- uint256 price = strataxOracle.getPrice(collateralToken);
+ uint256 twapPrice = strataxOracle.getTWAP(collateralToken, 1 hours);
+ uint256 spotPrice = strataxOracle.getPrice(collateralToken);
+ require(
+ spotPrice >= twapPrice * 90 / 100 &&
+ spotPrice <= twapPrice * 110 / 100,
+ "Price deviation exceeds 10%"
+ );
+ uint256 price = twapPrice; // Use TWAP, not spot
// Add flash loan guard
+ modifier noFlashLoanPrice() {
+ require(!inFlashLoan, "Cannot read prices during flash loan");
+ _;
+ }

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!