Submission Details
Severity:
Race condition in mint/repay functions allows debt manipulation
Summary
A race condition between mint and repay functions in the Alchemist contract allows users to manipulate their debt position by repaying less than minted and immediately minting again.
Vulnerability Details
The contract allows users to:
Mint tokens
Repay less than the minted amount
Immediately mint again without proper debt validation
function testMintRepayRaceCondition() public {
uint256 mintAmount = 100e18;
vm.startPrank(user);
// Initial mint
alchemist.mint(mintAmount, user);
// Repay less than minted
uint256 repayAmount = mintAmount - 10e18;
alchemist.repay(underlying, repayAmount, user);
// Can immediately mint again
alchemist.mint(10e18, user); // Exploits debt tracking
}
Impact
Users can manipulate their debt position
Potential economic damage to the protocol
Risk of undercollateralized positions
System debt accounting could become inaccurate
Tools Used
Foundry
Manual Review
Recommendations
Add debt cooldown period:
mapping(address => uint256) lastRepayTimestamp;
function repay(address _underlying, uint256 _amount, address _recipient) external {
require(block.timestamp >= lastRepayTimestamp[msg.sender] + 1 hours, "Cooldown active");
// ... existing code ...
lastRepayTimestamp[msg.sender] = block.timestamp;
}
Enforce full repayment:
require(repayAmount >= mintedAmount, "Must repay full amount");
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.