Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: low

`setFlashLoanFee` Allows Setting Fee Up to 99.99%

Author Revealed upon completion

setFlashLoanFee Allows Setting Fee Up to 99.99%

Description

  • The setFlashLoanFee function allows the owner to set the flash loan fee up to 9999 basis points (99.99%). The only validation is that it must be less than FLASHLOAN_FEE_PREC (10000):

function setFlashLoanFee(uint256 _flashLoanFeeBps) external onlyOwner {
require(_flashLoanFeeBps < FLASHLOAN_FEE_PREC, "Fee must be < 100%");
// @audit Allows fee up to 9999 bps (99.99%) — no reasonable upper bound
flashLoanFeeBps = _flashLoanFeeBps;
}

  • This fee is used in calculateOpenParams() to compute the minimum borrow amount needed to cover the flash loan cost:

uint256 flashLoanFee = (flashLoanAmount * flashLoanFeeBps) / FLASHLOAN_FEE_PREC;
uint256 minRequiredAfterSwap = flashLoanAmount + flashLoanFee;

Risk

Likelihood:

  • Low — only the owner can set this value, and a rational owner would not set an extreme fee

  • Only relevant if the owner key is compromised or the owner acts maliciously

Impact:

  • An extreme fee (e.g., 9999 bps = 99.99%) would cause calculateOpenParams() to return inflated minRequiredAfterSwap values

  • The require(borrowValueInCollateral >= minRequiredAfterSwap) check in calculateOpenParams() would fail for most reasonable leverage parameters, effectively disabling the helper function

  • The actual Aave flash loan fee is determined by Aave, not this parameter — this value is only used for internal calculations

  • No direct fund loss, but disrupts the usability of position calculation functions

Proof of Concept

How the issue manifests:

  1. Owner (or attacker with compromised key) calls setFlashLoanFee(9999) — sets fee to 99.99%

  2. User calls calculateOpenParams() to compute leverage parameters

  3. flashLoanFee = flashLoanAmount * 9999 / 10000 — almost equal to the entire flash loan amount

  4. minRequiredAfterSwap = flashLoanAmount + flashLoanFee — nearly 2x the flash loan

  5. The require(borrowValueInCollateral >= minRequiredAfterSwap) check fails for reasonable leverage

  6. The helper function becomes unusable

Expected outcome: calculateOpenParams() reverts for reasonable parameters when the fee is set to an extreme value.

Recommended Mitigation

The root cause is the lack of a reasonable upper bound on the fee parameter.

Primary fix — Add a reasonable upper bound:

uint256 public constant MAX_FLASH_LOAN_FEE_BPS = 100; // max 1%
function setFlashLoanFee(uint256 _flashLoanFeeBps) external onlyOwner {
require(_flashLoanFeeBps <= MAX_FLASH_LOAN_FEE_BPS, "Fee too high");
flashLoanFeeBps = _flashLoanFeeBps;
}

Why this works: The upper bound of 1% is generous for flash loan fees (Aave V3 charges 0.05-0.09%) while preventing extreme values that would break calculation functions. The constant makes the limit transparent and auditable.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!