Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: medium
Likelihood: medium

No Emergency Pause Mechanism for Critical Functions

Author Revealed upon completion

No Emergency Pause Mechanism for Critical Functions

Description

  • The Stratax contract has no pause / unpause functionality. The critical functions createLeveragedPosition and unwindPosition cannot be halted under any circumstances.

  • During an active exploit, oracle failure, 1inch router compromise, or market crash, the owner has no way to stop the protocol from operating on potentially corrupt data.

// @audit No whenNotPaused modifier — these functions cannot be paused
function createLeveragedPosition(...) public onlyOwner { ... }
function unwindPosition(...) external onlyOwner { ... }

  • The contract also lacks circuit breakers, rate limiters, or any other emergency safeguard.

Risk

Likelihood:

  • Oracle failures, exchange delistings, and protocol exploits occur regularly in DeFi

  • The 1inch router is an external dependency that could experience downtime or be compromised

  • Market flash crashes can cause rapid, extreme price movements

Impact:

  • During an oracle failure: The protocol uses stale prices (see H-001) to calculate leverage and collateral, potentially creating dangerous positions

  • During a 1inch compromise: Swap operations may route through malicious paths, though flash loan atomicity limits the damage

  • During a market crash: The owner may want to prevent position creation at extreme leverage to protect against immediate liquidation, but has no mechanism to do so

  • All other major DeFi protocols have pause mechanisms: Aave, Compound, Uniswap, MakerDAO, etc.

Real-World Precedent:

  • Euler Finance (2023-03-13): The $197M exploit could have been limited if pause was triggered faster

  • Compound (2021-09): COMP token distribution bug was mitigated by pausing the affected market

  • Aave has per-asset and global pause capabilities specifically for these scenarios

Proof of Concept

How the issue manifests:

  1. The Stratax team discovers an ongoing exploit or Chainlink oracle failure

  2. They want to immediately stop all position creation and unwinding

  3. There is no function to call — the protocol continues operating

  4. The owner's only option is to set the oracle to address(0) via setStrataxOracle(), which would cause reverts in functions that use the oracle, but createLeveragedPosition would still work if the owner provides prices directly

  5. The owner has no clean way to halt operations

Expected outcome: The protocol continues operating during the incident, with no ability for the team to intervene.

Recommended Mitigation

The root cause is the absence of any pause mechanism. The fix should implement a standard pausable pattern that allows the owner to halt critical operations during emergencies.

Primary fix — Implement OpenZeppelin PausableUpgradeable:

import {PausableUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
contract Stratax is Initializable, PausableUpgradeable {
function initialize(...) external initializer {
__Pausable_init();
// ... existing init
}
function createLeveragedPosition(...) public onlyOwner whenNotPaused { ... }
function unwindPosition(...) external onlyOwner whenNotPaused { ... }
function pause() external onlyOwner {
_pause();
}
function unpause() external onlyOwner {
_unpause();
}
}

Why this works:

  • whenNotPaused modifier prevents execution of critical functions while the contract is paused

  • The owner can react to incidents within seconds by calling pause()

  • unpause() restores normal operation once the issue is resolved

  • The gas overhead is minimal (one SLOAD per function call to check the paused flag)

  • This is the standard DeFi practice — every major protocol implements pause capabilities

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!