When integrating a DEX aggregator, the contract should constrain what can be executed—e.g., call a specific, typed function (swap) and verify that the swap parameters (tokenIn, tokenOut, receiver, amounts) match the protocol’s expectations (e.g., borrowToken → collateralToken, receiver = address(this)). This prevents misuse of approvals and avoids calling unintended code paths.
Stratax forwards user‑supplied, opaque calldata directly to the 1inch router via a low‑level call without decoding or validating it. Any router function selector can be invoked, and Stratax will trust the router’s returned bytes as (returnAmount, spentAmount) (or fall back to a balance probe). This creates a broad class of risks: the router can be instructed to move approved tokens in unexpected ways, route to unexpected receivers, or execute a function that doesn’t conform to the assumed ABI.
Where: _call1InchSwap uses address(oneInchRouter).call(_swapParams); callers pass oneInchSwapData straight from createLeveragedPosition/unwindPosition into the flash‑loan path without any semantic checks.
Likelihood: Medium
Operator error / malformed calldata is common with off‑chain quoting. Any mis‑encoded call or selector drift on router upgrades will hit this path.
Defense‑in‑depth gap: Even if 1inch router is trustworthy, initialization mistakes (wrong router address on some chain) or future router changes can turn this into a serious foot‑gun. Over time, such misconfigurations will occur.
Impact: Medium
Loss of approved funds / mis‑routing: Calldata may instruct the router to send funds to a third party or skip returning the intended destination token.
Hard‑to‑debug reverts: The code trusts the router’s return tuple; if it returns crafted bytes or none, the subsequent logic can miscompute returnAmount and fail late (e.g., flash‑loan repayment revert), causing gas loss and operational instability.
Conceptual pseudocode:
Replace raw .call with a typed interface call like IAggregationRouterV5.swap(Executor, Desc, data).
Decode and verify invariants before calling:
desc.srcToken == expectedInput (e.g., borrowToken in OPEN).
desc.dstToken == expectedOutput (e.g., flash‑loan asset _asset in OPEN).
desc.dstReceiver == address(this).
desc.amount <= approvedAmount and flags within an allowlist.
Reject any other selector/shape (keep a selector allowlist if you must support multiple router entrypoints).
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.