Alchemix Transmuter

01. Relevant GitHub Links

• https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L81C1-L88C6

• https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L95C1-L103C6

02. Summary

In the StrategyOp and StrategyArb contracts, the internal _swapUnderlyingToAsset functions pass block.timestamp as the deadline parameter directly into the swapExactTokensForTokens function. This approach effectively nullifies the intended deadline protection, making it vulnerable to MEV attacks and front-running scenarios. Since the transaction deadline is essentially the same moment it is created, it does not prevent transactions from lingering in the mempool where bots could reorder or manipulate execution times. This can potentially allow malicious actors to sandwich the transaction and extract value at the protocol’s expense.

03. Vulnerability Details

Issue: The current implementation uses block.timestamp as a deadline:

Why is this problematic?

• MEV & Front-running: By providing no meaningful time buffer, attackers monitoring the mempool can observe the pending swap transaction and attempt to reorder or front-run it, adjusting their own trades to gain an advantage. For example, bots might introduce a transaction just before the victim’s swap (a front-run) and another just after it (a back-run), potentially capturing arbitrage profits or causing slippage losses to the protocol.

• Security Process Bypass: The intended security mechanism of deadlines (to ensure that trades do not execute under stale conditions) is effectively bypassed. Without a proper deadline, the transaction could be picked up and executed in an unfavorable market condition, or delayed by malicious network participants until it becomes beneficial for them.

Real-world Consequence:

If a transaction is intended to execute quickly but lingers in the mempool (due to network congestion or intentional delay), bots can craft MEV strategies to profit from price movements or liquidity conditions. This can degrade user experience, introduce slippage losses, and potentially reduce protocol profitability.

04. Impact

• Medium Severity: While not as destructive as a direct re-entrancy or logic manipulation bug, the lack of a proper deadline makes these swaps susceptible to MEV extraction. Over time, consistent front-running can lead to significant financial losses and degrade trust in the protocol.

• Financial Loss: MEV attackers can extract value, indirectly costing the protocol or its users.

• Security Process Failure: The mechanism supposed to enforce timely and safe execution (deadlines) is rendered ineffective, weakening the security posture.

05. Tools Used

Manual Code Review and Foundry

06. Recommended Mitigation

Instead of passing block.timestamp as the deadline, modify the function to accept a deadline parameter from the caller. For example: