Submission Details
Severity:
maximumExpectedValue bypass in harvest function allows exceeding configured limits
Summary
The harvest function allows processing amounts larger than the configured maximumExpectedValue, potentially bypassing an important safety limit.
Vulnerability Details
In IAlchemist.sol, maximumExpectedValue is defined as a safety parameter but can be bypassed:
struct YieldTokenConfig {
// ...
uint256 maximumExpectedValue; // Should limit maximum value
// ...
}
PoC:
function testMaximumValueBypass() public {
IAlchemist.YieldTokenConfig memory config = IAlchemist.YieldTokenConfig({
adapter: address(1),
maximumLoss: 1000,
maximumExpectedValue: 100e18, // Set low limit
creditUnlockBlocks: 100
});
uint256 harvestAmount = 200e18; // Double the maximumExpectedValue
alchemist.harvest(yieldToken, harvestAmount); // Successfully processes larger amount
}
Impact
Safety limits can be bypassed
Potential for larger than intended harvests
Risk of economic damage due to uncapped operations
Tools Used
Foundry
Manual Review
Recommendations
1. Add value check in harvest function:
function harvest(address yieldToken, uint256 amount) external {
require(amount <= yieldTokenConfig[yieldToken].maximumExpectedValue, "Amount exceeds maximum");
// ... rest of the function
}
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.