Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: medium
Likelihood: high

Hardcoded 5% Slippage Buffer Can Cause Unwind DoS or Capital Inefficiency

Author Revealed upon completion

Root + Impact

Description

When unwinding, the protocol needs to withdraw enough collateral from Aave so that, after swapping via 1inch, it can obtain sufficient debt tokens to repay the flash loan (and/or debt). The helper calculateUnwindParams() estimates the needed collateral using oracle prices, then adds a fixed 5% buffer.

This approach is brittle:

  • Underestimation: Real slippage and MEV can exceed 5% (especially for large trades or thin liquidity), causing the unwind flow to revert because the swap cannot meet _minReturnAmount or the flash loan cannot be repaid.

  • Overestimation: In normal conditions slippage can be far less than 5%, meaning the protocol withdraws more collateral than required, reducing efficiency and complicating correct “return equity to user” accounting.

function calculateUnwindParams(address _collateralToken, address _borrowToken)
public
view
returns (uint256 collateralToWithdraw, uint256 debtAmount)
{
(,, address debtToken) = aaveDataProvider.getReserveTokensAddresses(_borrowToken);
debtAmount = IERC20(debtToken).balanceOf(address(this));
uint256 debtTokenPrice = IStrataxOracle(strataxOracle).getPrice(_borrowToken);
uint256 collateralTokenPrice = IStrataxOracle(strataxOracle).getPrice(_collateralToken);
collateralToWithdraw =
(debtTokenPrice * debtAmount * 10 ** IERC20(_collateralToken).decimals())
/ (collateralTokenPrice * 10 ** IERC20(_borrowToken).decimals());
// @> Hardcoded 5% buffer (assumes slippage <= 5%)
collateralToWithdraw = (collateralToWithdraw * 1050) / 1000;
}

Risk

Likelihood:

  • This logic is used whenever users rely on calculateUnwindParams() to prepare unwind inputs; the 5% multiplier is always applied.

  • Slippage > 5% is realistic during market volatility, MEV sandwiching, low-liquidity routes, or large unwind sizes relative to pool depth.

Impact:

  • Unwind DoS / Stuck Positions: If actual slippage exceeds 5%, the unwind transaction can repeatedly revert, preventing users from closing risk.

  • Inefficiency / Incorrect Withdrawals: If slippage is much lower than 5%, the protocol may withdraw more collateral than needed, which can worsen equity accounting and increase exposure to other unwind bugs.

Proof of Concept

```solidity
// Example:
// - Debt to repay (flash loan + premium): 1,000 USDC
// - Oracle-implied collateral needed: 0.50 WETH
// - calculateUnwindParams adds 5% => withdraw 0.525 WETH
//
// Case A (volatile market / MEV):
// - Real execution slippage: 12%
// - 0.525 WETH swaps to only ~924 USDC
// - Swap fails minReturn or flash loan repayment fails -> unwind reverts -> user cannot exit
//
// Case B (normal market):
// - Real execution slippage: 0.5%
// - 0.525 WETH swaps to ~1,045 USDC
// - Extra collateral was withdrawn unnecessarily; equity/returns handling becomes more complex

Recommended Mitigation

Make the slippage buffer configurable (per-call or per-user) and rely on the DEX quote + _minReturnAmount for the actual protection.

Minimal change (remove the hardcoded multiplier and let _minReturnAmount / quotes drive the unwind):

// Account for 5% slippage in swap
-collateralToWithdraw = (collateralToWithdraw * 1050) / 1000;
// Do not apply a hardcoded slippage buffer; use swap minReturnAmount instead.

Better change (parameterize the buffer in basis points):

-function calculateUnwindParams(address _collateralToken, address _borrowToken)
+function calculateUnwindParams(address _collateralToken, address _borrowToken, uint256 slippageBps)
public
view
returns (uint256 collateralToWithdraw, uint256 debtAmount)
{
// ... compute collateralToWithdraw from oracle prices ...
- collateralToWithdraw = (collateralToWithdraw * 1050) / 1000;
+ require(slippageBps <= 10_000, "invalid slippageBps");
+ collateralToWithdraw = (collateralToWithdraw * (10_000 + slippageBps)) / 10_000;
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!