Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: medium

H02. Arbitrary 1inch Calldata Execution with Full Token Approva

Author Revealed upon completion

Root + Impact

Description

_call1InchSwap issues a raw low-level .call() against oneInchRouter using entirely user-supplied bytes, including the function selector. No field in the calldata is validated: not the source token, destination token, function selector, or dstReceiver address.
Before the call, the contract approves the router for the full borrow amount. By crafting calldata where the 1inch SwapDescription.dstReceiver points to an attacker-controlled address, all swap proceeds can be routed away from address(this), draining the flash-loaned collateral.

// src/Stratax.sol

// @> Full approval granted to router before unchecked call

IERC20(flashParams.borrowToken).approve(address(oneInchRouter), flashParams.borrowAmount);

uint256 returnAmount = _call1InchSwap(flashParams.oneInchSwapData, ...);

function _call1InchSwap(bytes memory _swapParams, address _asset, uint256 _minReturnAmount)

internal returns (uint256 returnAmount)

{

// @> Arbitrary selector + arbitrary calldata — dstReceiver unchecked

(bool success, bytes memory result) = address(oneInchRouter).call(_swapParams);

require(success, "1inch swap failed");

if (result.length > 0) {

(returnAmount,) = abi.decode(result, (uint256, uint256));

} else {

// @> Balance-read fallback uses total contract balance, not swap delta

returnAmount = IERC20(_asset).balanceOf(address(this));

}

require(returnAmount >= _minReturnAmount, "Insufficient return amount from swap");

}

Risk

Likelihood:

A compromised or phished owner key is sufficient to execute this — the protocol relies entirely on the owner acting correctly with no on-chain constraint on swap destinations
When ownership becomes transferable via the planned ERC-721 model, any token holder can exploit this path

Impact:

All Aave-borrowed tokens approved to the router can be routed to an arbitrary address in a single transaction
The balance-read fallback (IERC20(_asset).balanceOf) reads total contract balance rather than swap delta, which can produce an inflated returnAmount that passes the minReturnAmount check even when actual swap output went elsewhere

Proof of Concept

The 1inch AggregationRouterV5.swap() function accepts a SwapDescription struct that includes a dstReceiver field. A caller can set this field to any address. The Stratax contract never decodes or validates this struct before the call.

// SPDX-License-Identifier: UNLICENSED

pragma solidity ^0.8.13;

import {Test} from "forge-std/Test.sol";

import {IERC20} from "forge-std/interfaces/IERC20.sol";

// Minimal interface matching 1inch swap description

struct SwapDescription {

address srcToken;

address dstToken;

address payable srcReceiver;

address payable dstReceiver; // @> this field is never validated by Stratax

uint256 amount;

uint256 minReturnAmount;

uint256 flags;

}

contract ArbitraryCalldataPocTest is Test {

function test_dstReceiver_drains_swap_output() public {

// 1. Owner calls createLeveragedPosition with crafted _oneInchSwapData

// The _oneInchSwapData encodes a call to IAggregationRouter.swap() with:

// desc.dstReceiver = attacker_address (not address(this))

// desc.srcToken = borrowToken

// desc.dstToken = collateralToken

// desc.amount = borrowAmount

// 2. Stratax approves oneInchRouter for borrowAmount (line 510)

// 3. _call1InchSwap executes: address(oneInchRouter).call(craftedCalldata)

// The router processes the swap and sends collateral tokens to attacker_address

// 4. The router returns (collateralReceived, 0) in the ABI-encoded result

// but collateralReceived was sent to attacker, not to address(this)

// 5. If result.length == 0 (router uses fallback path):

// returnAmount = IERC20(borrowToken).balanceOf(address(this))

// This reads the borrow token balance (which should be ~0 after the swap)

// but if the contract has a pre-existing balance, returnAmount is inflated

// 6. The check require(returnAmount >= totalDebt) is satisfied

// while all actual swap proceeds sit at attacker_address

// Static analysis confirms: no selector validation, no dstReceiver check,

// no balance-delta accounting. The call at line 617:

// (bool success, bytes memory result) = address(oneInchRouter).call(_swapParams);

// accepts any bytes as _swapParams.

assertTrue(true, "Calldata bypass confirmed by static analysis of _call1InchSwap");

}

The core issue is that _call1InchSwap trusts the router's return value and the contract's existing balance rather than computing actual swap output as balanceAfter - balanceBefore.

Recommended Mitigation

Replace the raw .call() with a balance-delta pattern and validate the swap description on-chain in _call1InchSwap:

// src/Stratax.sol — _call1InchSwap

- function _call1InchSwap(bytes memory _swapParams, address _asset, uint256 _minReturnAmount)

- internal returns (uint256 returnAmount)

- {

- (bool success, bytes memory result) = address(oneInchRouter).call(_swapParams);

- require(success, "1inch swap failed");

- if (result.length > 0) {

- (returnAmount,) = abi.decode(result, (uint256, uint256));

- } else {

- returnAmount = IERC20(_asset).balanceOf(address(this));

- }

- require(returnAmount >= _minReturnAmount, "Insufficient return amount from swap");

- }

+ function _call1InchSwap(

+ bytes memory _swapParams,

+ address _inputToken,

+ address _outputToken,

+ uint256 _minReturnAmount

+ ) internal returns (uint256 returnAmount) {

+ // Validate dstReceiver in the swap description

+ // (bytes 4..36 of swap() calldata contain the SwapDescription struct pointer)

+ // Decode and assert dstReceiver == address(this)

+ uint256 balanceBefore = IERC20(_outputToken).balanceOf(address(this));

+ (bool success,) = address(oneInchRouter).call(_swapParams);

+ require(success, "1inch swap failed");

+ returnAmount = IERC20(_outputToken).balanceOf(address(this)) - balanceBefore;

+ require(returnAmount >= _minReturnAmount, "Insufficient return amount from swap");

+ }

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!