Alchemix Transmuter

Summary

The protocol lacks an emergency pause mechanism across three main strategy contracts: strategyMainnet.sol, strategyArb.sol, and strategyOp.sol. These contracts are integral to the automated strategy built on the Yearn V3 strategy template and Alchemix, which enables users to earn yield on Alchemix tokens (primarily alETH) by leveraging potential depegs. However, the absence of a pause mechanism exposes the protocol to serious risks in the event of exploits, misconfigurations, or adverse market conditions, as critical operations cannot be temporarily suspended to prevent further harm.

Vulnerability Details

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L11
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L11
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L11

No implementation of a paused state variable or corresponding modifiers (whenNotPaused) to safeguard critical functions during emergencies.
The protocol's strategy centers around automated yield generation and capitalizing on depegs, relying on external interactions with the Alchemix transmuter and Curve routers. Without a pause mechanism, any failure or vulnerability in these external systems or within the protocol itself could lead to irrecoverable fund losses.
Defi protocols such as this always have a 'PAUSE MECHANISM`. Lack of it poses serious security challenge.

Impact

1. Protocol administrators would be unable to intervene effectively during emergencies.

2. Without a pause mechanism, any failure or vulnerability in these external systems or within the protocol itself could lead to irrecoverable fund losses.

Tools Used

Vscode, Manual analysis

Recommendations

Implement Emergency Pause Mechanism