Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

`setFlashLoanFee` Allows Setting Fee Up to 99.99%

quanghoa27061998

setFlashLoanFee Allows Setting Fee Up to 99.99%

Description

  • The setFlashLoanFee function allows the owner to set the flash loan fee up to 9999 basis points (99.99%). The only validation is that it must be less than FLASHLOAN_FEE_PREC (10000):

function setFlashLoanFee(uint256 _flashLoanFeeBps) external onlyOwner {
require(_flashLoanFeeBps < FLASHLOAN_FEE_PREC, "Fee must be < 100%");
// @audit Allows fee up to 9999 bps (99.99%) — no reasonable upper bound
flashLoanFeeBps = _flashLoanFeeBps;
}

  • This fee is used in calculateOpenParams() to compute the minimum borrow amount needed to cover the flash loan cost:

uint256 flashLoanFee = (flashLoanAmount * flashLoanFeeBps) / FLASHLOAN_FEE_PREC;
uint256 minRequiredAfterSwap = flashLoanAmount + flashLoanFee;

Risk

Likelihood:

  • Low — only the owner can set this value, and a rational owner would not set an extreme fee

  • Only relevant if the owner key is compromised or the owner acts maliciously

Impact:

  • An extreme fee (e.g., 9999 bps = 99.99%) would cause calculateOpenParams() to return inflated minRequiredAfterSwap values

  • The require(borrowValueInCollateral >= minRequiredAfterSwap) check in calculateOpenParams() would fail for most reasonable leverage parameters, effectively disabling the helper function

  • The actual Aave flash loan fee is determined by Aave, not this parameter — this value is only used for internal calculations

  • No direct fund loss, but disrupts the usability of position calculation functions

Proof of Concept

How the issue manifests:

  1. Owner (or attacker with compromised key) calls setFlashLoanFee(9999) — sets fee to 99.99%

  2. User calls calculateOpenParams() to compute leverage parameters

  3. flashLoanFee = flashLoanAmount * 9999 / 10000 — almost equal to the entire flash loan amount

  4. minRequiredAfterSwap = flashLoanAmount + flashLoanFee — nearly 2x the flash loan

  5. The require(borrowValueInCollateral >= minRequiredAfterSwap) check fails for reasonable leverage

  6. The helper function becomes unusable

Expected outcome: calculateOpenParams() reverts for reasonable parameters when the fee is set to an extreme value.

Recommended Mitigation

The root cause is the lack of a reasonable upper bound on the fee parameter.

Primary fix — Add a reasonable upper bound:

uint256 public constant MAX_FLASH_LOAN_FEE_BPS = 100; // max 1%
function setFlashLoanFee(uint256 _flashLoanFeeBps) external onlyOwner {
require(_flashLoanFeeBps <= MAX_FLASH_LOAN_FEE_BPS, "Fee too high");
flashLoanFeeBps = _flashLoanFeeBps;
}

Why this works: The upper bound of 1% is generous for flash loan fees (Aave V3 charges 0.05-0.09%) while preventing extreme values that would break calculation functions. The constant makes the limit transparent and auditable.

Updates

Lead Judging Commences

izuman Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

onlyOwner functions

Owner is trusted

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!