Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Hardcoded flashLoanFeeBps Can Cause Flash Loan DoS

Author Revealed upon completion

Root + Impact

Description

Normal behavior: Aave flash loans provide _premium in the executeOperation callback, which must be repaid along with the borrowed amount. The protocol can change this fee dynamically.
Issue: Stratax hardcodes the flash loan fee as flashLoanFeeBps = 9 (0.09%) in initialize(). Internal functions like _executeOpenOperation and _executeUnwindOperation calculate repayment using this fixed fee instead of the _premium parameter.

// Root cause in the codebase

flashLoanFeeBps = 9; // Hardcoded Aave flash loan fee

...

uint256 flashLoanFee = (flashLoanAmount * flashLoanFeeBps) / FLASHLOAN_FEE_PREC; @> Used instead of _premium

uint256 minRequiredAfterSwap = flashLoanAmount + flashLoanFee;

Risk

Likelihood:

If Aave updates the flash loan fee (e.g., from 0.09% → 0.1%), the contract underestimates repayment.
Any flash loan operation (createLeveragedPosition or unwindPosition) will revert, blocking users.

Impact:

Denial of Service (DoS): Users cannot open or unwind positions until the contract is upgraded.
Positions cannot be fully managed; user funds can effectively be locked.

Proof of Concept

// Hardcoded fee = 9 bps

// Aave flash loan fee increased to 0.1% (10 bps)

// User calls open leveraged position

stratax.createLeveragedPosition(

USDC,

100e6, // flash loan amount

100e6, // user collateral

DAI,

50e18,

oneInchSwapData,

49e18

);

// Internal calculation uses hardcoded fee

// flashLoanFee = 100e6 * 9 / 10000 = 0.09e6 USDC

// Actual premium from Aave = 0.1e6 USDC

// minRequiredAfterSwap = 100e6 + 0.09e6 = 100.09e6 USDC

// Actual repayment required = 100.1e6 USDC → transaction reverts

The contract uses a static fee to compute repayment amounts. If the real Aave flash loan premium increases, the contract cannot repay the loan, causing any flash loan operation to fail. This results in permanent DoS for position creation/unwinding until the contract logic is fixed.

Recommended Mitigation

- uint256 flashLoanFee = (flashLoanAmount * flashLoanFeeBps) / FLASHLOAN_FEE_PREC;

+ uint256 flashLoanFee = _premium; // Use actual fee from Aave flash loan

Always use \_premium provided by Aave in executeOperation.
Remove dependency on flashLoanFeeBps for repayment calculations.
Optionally, keep flashLoanFeeBps for informational purposes, but never for repayment logic.

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!