Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Arbitrary 1inch Swap Data Can Be Exploited by Owner

Author Revealed upon completion

Root + Impact

Description

Normal behavior: Stratax uses 1inch to swap tokens during leveraged position open and unwind operations.
Issue: The contract executes low-level calls with calldata passed directly from the owner (createLeveragedPosition and unwindPosition) via _call1InchSwap:

// Root cause in the codebase

function _call1InchSwap(bytes memory _swapParams, address _asset, uint256 _minReturnAmount)

internal

returns (uint256 returnAmount)

{

// Execute arbitrary low-level call

(bool success, bytes memory result) = address(oneInchRouter).call(_swapParams); @> owner-supplied calldata

require(success, "1inch swap failed");

...

}

Centralization risk: Only the owner can initiate leveraged operations, meaning the owner controls all calldata for token swaps, which could be maliciously crafted to:

Drain user collateral
Swap to tokens with 0 value (rug-pull)
Interact with arbitrary contracts

Risk

Likelihood:

High likelihood because the contract relies on owner-supplied 1inch calldata for both opening and unwinding positions.
Any user calling these functions must trust the owner, creating complete centralization of risk.

Impact:

Users’ funds can be stolen or locked if the owner crafts malicious calldata.
Even fully collateralized positions can be drained during swaps.
Flash loan repayment logic will still attempt to repay the loan, but leftover tokens could be redirected.

Proof of Concept

// Owner crafts malicious 1inch swap data to drain collateral

bytes memory maliciousSwapData = abi.encodeWithSignature(

"swap(address,address,uint256,address,bytes)",

userCollateral,

DAI,

IERC20(userCollateral).balanceOf(address(Stratax)),

address(owner),

"" // could call arbitrary contract

);

// User opens leveraged position

stratax.createLeveragedPosition(

userCollateral,

100e18,

50e18,

DAI,

50e18,

maliciousSwapData,

0 // no slippage check

);

// Result: user's collateral is sent to owner or arbitrary contract

The _call1InchSwap function blindly executes owner-provided calldata. Malicious data could:

Transfer collateral to attacker’s address
Swap to worthless tokens
Trigger arbitrary contract calls

This is a complete trust-of-owner issue and represents a centralization risk that can lead to full fund loss.

Recommended Mitigation

- (bool success, bytes memory result) = address(oneInchRouter).call(_swapParams);

+ // Use a safe swap library or only allow predefined, vetted swap paths

+ // Example: enforce only swaps via 1inch router with pre-approved paths

+ require(isAllowedSwap(_swapParams), "Swap not allowed");

+ (bool success, bytes memory result) = address(oneInchRouter).call(_swapParams);

Never allow arbitrary low-level calls supplied by an externally trusted party.
Implement whitelisted swap paths or use a safe aggregator interface with parameters strictly validated.
Consider multi-signature execution for swap calldata changes.
Include slippage checks and max loss limits to prevent unintended fund loss.

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!