Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

`minOut` is required to be greater than `_amountClaim` leading to claim failures

sancybars
## Vunlerability Details
The `claimAndSwap` function in the strategies are used to claim `WETH` from the transmuter which is then swapped to `ALETH` and deposited back to the transmuter.
The `keeper` specifies the `_amountClaim` and the `_minOut` for slippage, However the `require` statement `require(_minOut > _amountClaim, "minOut too low");` in `_swapUnderlyingToAsset` only allows the `_minOut` to be greater than the `_amountClaim` which is the amount of `WETH` to claim from the transmuter.
This is an issue because if the `_amountClaim` is equal to `_minOut` the transaction reverts.
Due to the high slippage set the set `require((balAfter - balBefore) >= _minOut, "Slippage too high");` will also revert the transaction the recovered asset is less than the `_minOut`
## POC
```solidity
function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
require(_minOut > _amountClaim, "minOut too low");
router.exchange(
routes[_routeNumber],
swapParams[_routeNumber],
_amountClaim,
_minOut,
pools[_routeNumber],
address(this)
);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IRamsesRouter.route[] calldata _path) internal {
// TODO : we swap WETH to ALETH -> need to check that price is better than 1:1
// uint256 oraclePrice = 1e18 * 101 / 100;
require(minOut > _amount, "minOut too low")//@audit
uint256 underlyingBalance = underlying.balanceOf(address(this));
require(underlyingBalance >= _amount, "not enough underlying balance");
IRamsesRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);//@audit
}
```
consider the following::
The transmuter have unclaimed 100 `WETH`.
The `keeper` calls `claimAndSwap` with the following parameters:
` _amountClaim` = 100
`_minOut` = 100
` _routeNumber` = 5
The `keeper` expects this transaction to pass because thats all the tokens available in the transmuter but it fails because of the check`require(_minOut > _amountClaim, "minOut too low");` in `_swapUnderlyingToAsset`
However if the `keeper` calls `claimAndSwap` with the following parameters:
` _amountClaim` = 100
`_minOut` = 101
` _routeNumber` = 5
When the router is invoked to swap the call reverts because `swapExactTokensForTokens` check for slippage will require `_amount` >= `minOut`
which is not the case because `-minOut` is set to be larger than the token being swapped.
This is the same for all current strategies`Op`, `mainnet` and `arb`.
## Impact
failure to claim and swap from the transmuter if amount to claim is more than slippage
## Reconmendation
change the operator to `>=` to allow transactions of equal amount.
`require(_minOut >= _amountClaim, "minOut too low");`
Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.