Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Open flow can falsely fail flash-loan repayment when 1inch returns empty data due to wrong asset accounting

Author Revealed upon completion

Description

Normal behavior: after swapping borrowed token to collateral token, the contract should measure received collateral to verify flash-loan repayment.
Issue: createLeveragedPosition passes borrowToken into _call1InchSwap as _asset. In fallback mode (empty router return data), _call1InchSwap reads balanceOf(_asset) from the wrong token, producing incorrect returnAmount and false repayment failure.

// src/Stratax.sol

function _executeOpenOperation(...) internal returns (bool) {

...

@> uint256 returnAmount =

@> _call1InchSwap(flashParams.oneInchSwapData, flashParams.borrowToken, flashParams.minReturnAmount);

...

@> require(returnAmount >= totalDebt, "Insufficient funds to repay flash loan");

}

function _call1InchSwap(bytes memory _swapParams, address _asset, uint256 _minReturnAmount)

internal

returns (uint256 returnAmount)

{

(bool success, bytes memory result) = address(oneInchRouter).call(_swapParams);

require(success, "1inch swap failed");

if (result.length > 0) {

(returnAmount,) = abi.decode(result, (uint256, uint256));

} else {

@> returnAmount = IERC20(_asset).balanceOf(address(this));

}

Risk

Likelihood:

Reason 1 // Non-standard/empty return-data path from router execution occurs in integration edge cases.
Reason 2 // Flash-loan open flow depends entirely on returnAmount correctness for repayment validation.

Impact:

Impact 1 // False negative repayment check can revert open-position transaction.
Impact 2 // Protocol availability for opening leverage is reduced under router return-data variability.

Proof of Concept

This PoC configures the mock router to execute via fallback (empty return data), while still minting enough destination tokens to cover repayment. The transaction then reverts with Insufficient funds to repay flash loan, confirming that fallback accounting reads the wrong token balance.

// test/poc/StrataxVulnerabilities.t.sol

function testPoC_OpenFlowRevertsWhenRouterReturnsEmptyDataDueToWrongAssetAccounting() public {

router.setSwap(address(debtToken), address(collateralToken), borrowAmount, flashLoanAmount + 100e18);

vm.expectRevert("Insufficient funds to repay flash loan");

stratax.createLeveragedPosition(

address(collateralToken),

flashLoanAmount,

ownerCollateral,

address(debtToken),

borrowAmount,

hex"deadbeef", // hits fallback() and returns empty data

);

}

Recommended Mitigation

The mitigation ensures the open flow always measures output in the destination token (_asset) and, ideally, by balance delta. That avoids dependence on router return-data shape and prevents false repayment failures.

- _call1InchSwap(flashParams.oneInchSwapData, flashParams.borrowToken, flashParams.minReturnAmount);

+ _call1InchSwap(flashParams.oneInchSwapData, _asset, flashParams.minReturnAmount);

- Fallback returnAmount uses potentially wrong token balance.

+ Track before/after balance delta of the expected destination token and use that as returnAmount.

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!