Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: medium

Findings of L8

Author Revealed upon completion

FINDING #1: Oracle Price Manipulation via Flash Loans

ROOT + IMPACT

Description: The protocol reads Chainlink oracle prices during flash loan execution to calculate position health and leverage ratios. An attacker can manipulate these prices via large swaps on 1inch within the same transaction, causing incorrect valuations.

Code:

// In Stratax.sol, executeOperation (flash loan callback)

function executeOperation(...) external {

uint256 price = strataxOracle.getPrice(collateralToken); // @> Price read during flash loan

// Calculate position parameters using potentially manipulated price

uint256 collateralValue = collateralAmount * price;

// Execute swaps on 1inch that could manipulate the price further

oneInch.swap(...);

}

RISK

Likelihood:

Flash loans are atomic - attacker can manipulate price in same transaction
1inch integration allows large swaps that move market prices
Chainlink oracles update based on market data that includes manipulated trades
No time-weighted average or circuit breaker protection implemented

Impact:

Attacker creates under-collateralized positions using inflated collateral values
Protocol left with bad debt when positions liquidate at real prices
Historical precedent: Mango Markets ($110M), Cream Finance ($130M) used identical attack pattern

PROOF OF CONCEPT

1. Attacker flash loans 10M USDC

2. Swaps 5M USDC → ETH on 1inch (drives ETH price up temporarily)

3. Chainlink oracle reflects elevated ETH price

4. Attacker calls createLeveragedPosition with 1 ETH at inflated price

5. Protocol calculates collateral value at inflated price (e.g., $5000 instead of $2000)

6. Attacker borrows maximum against false collateral value

7. Flash loan repaid with borrowed funds

8. Price returns to normal

9. Attacker's position shows profit, protocol has bad debt

RECOMMENDED MITIGATION

// Add TWAP and circuit breaker

- uint256 price = strataxOracle.getPrice(collateralToken);

+ uint256 twapPrice = strataxOracle.getTWAP(collateralToken, 1 hours);

+ uint256 spotPrice = strataxOracle.getPrice(collateralToken);

+ require(

+ spotPrice >= twapPrice * 90 / 100 &&

+ spotPrice <= twapPrice * 110 / 100,

+ "Price deviation exceeds 10%"

+ );

+ uint256 price = twapPrice; // Use TWAP, not spot

// Add flash loan guard

+ modifier noFlashLoanPrice() {

+ require(!inFlashLoan, "Cannot read prices during flash loan");

+ _;

+ }

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!