Keeper Can Decide Route
Summary
In claimAndSwap function of the StrategyArb, StrategyMainnet and StrategyOp contracts the path or route number is specified in the call. This call can be done by the keeper. However, by definition he should not be trusted to choose this.
Vulnerability Details
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L71-L78
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L79-L89
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L92-L113
The keeper role by definition in the document provided by the protocol team should not have the right to choose path/route number. However, when we look at the implementations of the claimAndSwap functions in the three strategies we see that he has this right and is trusted to do so when he should not be.
Impact
A malicious keeper can choose a wrong path/route number.
Tools Used
Manual Review
Recommendations
Update the logic of path/route number choice so it is chosen by a role that has the right to do so.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.