Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of Emergency Withdrawals and Pausable Mechanisms

isanctuary

Summary

The StrategyOp contract lacks crucial safety mechanisms to respond to emergencies, including an unimplemented _emergencyWithdraw function and the absence of a pausable mechanism for critical functions such as claimAndSwap and addRoute. These omissions leave the protocol exposed to potential exploits, where swift action is necessary to protect user funds. Mitigation includes implementing a robust emergency withdrawal function and pausable functionality to halt operations during anomalies or active attacks.

Technical Details

1. Missing Emergency Withdrawal Functionality

The contract includes commented-out templates for an _emergencyWithdraw function, but no actual implementation exists:

/**
* @dev Optional function for a strategist to override that will
* allow management to manually withdraw deployed funds from the
* yield source if a strategy is shutdown.
*
* @param _amount The amount of asset to attempt to free.
*
function _emergencyWithdraw(uint256 _amount) internal override {
// TODO: Implement emergency withdrawal logic
}

2. Missing Pause Mechanism for Critical Functions

The contract lacks a pausable pattern or equivalent mechanism to halt operations for critical functions such as:

  • claimAndSwap: Handles token swaps, exposing assets to slippage or malicious routes.

  • addRoute: Adds new swap routes, which could be manipulated if compromised.

No safeguards are in place to temporarily disable these functions in the event of an attack or security breach.

Exploitation Scenarios

Scenario 1: Lack of Emergency Withdrawals During Exploit

  1. Setup:

    The protocol detects a vulnerability in the router, allowing an attacker to manipulate swaps.

  2. Execution:

    Users attempt to withdraw funds but cannot do so as there is no emergency withdrawal mechanism.

  3. Impact:

    Users are locked into the system while the exploit continues, resulting in loss of funds and loss of trust in the protocol.

Scenario 2: Inability to Halt Operations During Malicious Activity

  1. Setup:

    An attacker exploits the addRoute function, adding a malicious route to redirect tokens.

  2. Execution:

    The attacker repeatedly calls claimAndSwap to drain funds.

  3. Impact:

    Without the ability to pause operations, the protocol continues to operate under compromised conditions, allowing significant financial losses.

Impact Analysis

  1. Financial Impact:

    • Lack of emergency withdrawals prevents timely asset recovery.

    • Inability to halt critical operations allows exploits to persist, exacerbating losses.

  2. Operational Impact:

    • Prolonged downtime during an exploit due to inability to pause functionality.

    • Increased difficulty in managing and mitigating active threats.

  3. Reputational Impact:

    • Users lose confidence in the protocol’s ability to respond to emergencies, affecting adoption and retention.

Root Cause Analysis

  1. Unimplemented Emergency Withdrawal Logic:

    The _emergencyWithdraw function is defined but lacks implementation, leaving no mechanism to recover funds during a crisis.

  2. No Pausable Functionality:

    The contract does not incorporate a pausable pattern, preventing swift suspension of operations during anomalies.

Mitigation Recommendations

1. Implement an Emergency Withdrawal Function

Enable fund recovery in the event of an emergency:

function _emergencyWithdraw(uint256 _amount) internal override onlyManagement {
uint256 availableBalance = asset.balanceOf(address(this));
uint256 withdrawAmount = _amount > availableBalance ? availableBalance : _amount;
asset.safeTransfer(msg.sender, withdrawAmount);
emit EmergencyWithdrawal(msg.sender, withdrawAmount);
}

  • Include an event for auditability:

    event EmergencyWithdrawal(address indexed user, uint256 amount);

2. Introduce a Pausable Mechanism

Use OpenZeppelin’s Pausable contract to halt critical operations:

contract StrategyOp is BaseStrategy, Pausable {
function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IRamsesRouter.route[] calldata _path) external onlyKeepers whenNotPaused {
// Function body
}
function addRoute(address[11] calldata _route, uint256[5][5] calldata _swapParams, address[5] calldata _pools) external onlyManagement whenNotPaused {
// Function body
}
function pause() external onlyEmergencyAuthorized {
_pause();
}
function unpause() external onlyManagement {
_unpause();
}
}

3. Enhance Monitoring and Logging

Log emergency events for better transparency and incident analysis:

event ContractPaused(address indexed admin);
event ContractUnpaused(address indexed admin);

Proof of Concept (PoC)

Emergency Withdrawal Test

  1. Deploy the contract with a mock _emergencyWithdraw implementation.

  2. Simulate a vulnerability in the router, locking funds.

  3. Call _emergencyWithdraw to transfer available funds to a secure address.

Pause Mechanism Test

  1. Deploy the contract with the Pausable functionality.

  2. Simulate an exploit targeting the claimAndSwap function.

  3. Trigger the pause function and attempt to call claimAndSwap.

    Observe that the function cannot be executed while the contract is paused.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.