Submission Details
Severity:
Uncapped maximumLoss in YieldTokenConfig enables excessive losses
Summary
The maximumLoss parameter in YieldTokenConfig can be configured with dangerously high values, allowing excessive losses during harvest operations.
Vulnerability Details
In IAlchemist.sol, the YieldTokenConfig structure is used to define maximumLoss with no upper limit:
struct YieldTokenConfig {
address adapter;
uint256 maximumLoss; // No superior limit
uint256 maximumExpectedValue;
uint256 creditUnlockBlocks;
}
POC
function testMaximumLossExploit() public {
vm.mockCallRevert(
address(alchemist),
abi.encodeWithSelector(
IAlchemist.harvest.selector,
yieldToken,
100e18
),
"Loss exceeds maximum"
);
uint256 harvestAmount = 100e18;
vm.expectRevert("Loss exceeds maximum");
alchemist.harvest(yieldToken, harvestAmount);
}
Impact
Potential loss of up to 95% of funds during harvest operations
Risk of manipulation by malicious admins
No protection against dangerous configurations
Tools Used
Foundry
Manual Review
Recommendations
Add an upper limit to maximumLoss :
require(config.maximumLoss <= 3000, "Loss limit too high"); // Max 30%
Implement multi-signature governance for changes to these parameters
Add additional controls to addYieldToken
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.