Submission Details
Severity:
routes should be identified by their parameters hashes instead of counter
Summary
Currently, how claimAndSwap works in StrategyMainnet.sol causes a loss of funds for protocol when swapping weth back to alETH if a re-org occurs.
Vulnerability Details
function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
require(_minOut > _amountClaim, "minOut too low");
router.exchange(
routes[_routeNumber],
swapParams[_routeNumber],
_amountClaim,
_minOut,
pools[_routeNumber],
address(this)
);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
Routes are identified by an id _routeNumber . This way creates risks for mismatching different routes, for example in case of a reorg incident keepers could claimAndSwap using other routes than they intended due to switched orders of TXs in the block.
Impact
loss of funds for protocol
Tools Used
Consider using a hash of the routes parameters as an identifier for exchanging weth to alETH during claimAndSwap process
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366
OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.