Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Funds drain and DOS in `addRoute` Function

isanctuary

Summary

The addRoute function in the StrategyOp contract allows the Manager to introduce new swap routes without validating the input data. This lack of validation exposes the protocol to significant risks, including unauthorized token swaps, denial of service (DoS), and economic exploits. Malicious or malformed routes can disrupt the strategy's operations, drain funds, or cause yield inefficiencies. Implementing comprehensive input validation and a whitelist mechanism is critical to mitigate these risks.

Technical Details

Code Reference

The addRoute function directly accepts arrays for _route, _swapParams, and _pools without verification:

function addRoute(

address[11] calldata _route,

uint256[5][5] calldata _swapParams,

address[5] calldata _pools

) external onlyManagement {

routes[nRoutes] = _route;

swapParams[nRoutes] = _swapParams;

pools[nRoutes] = _pools;

nRoutes++;

}

Workflow Context

Functionality:
- addRoute allows the Manager to configure new routes for token swaps via Curve.
Input Parameters:
- _route: Array of 11 addresses defining the swap path.
- _swapParams: Multidimensional array defining swap parameters.
- _pools: Array of 5 pool addresses used in the route.
Issue:
- The function does not verify whether the inputs correspond to valid or safe configurations, leaving the protocol vulnerable to malicious or malformed routes.

Exploitation Scenarios

Scenario 1: Malicious Route Addition

Setup:

A malicious actor compromises the Manager role and adds a route where one of the pool addresses points to a malicious contract.
Execution:

The malicious pool exploits the unlimited approval granted to the router, siphoning WETH or alETH during a swap operation invoked by claimAndSwap.
Impact:

The protocol’s funds are drained to the malicious contract, causing significant financial loss.

Scenario 2: Revert-Induced Denial of Service (DoS)

Setup:

The Manager adds a route with a pool that always reverts transactions.
Execution:

When claimAndSwap is invoked, the swap operation fails due to the revert, preventing yield generation.
Impact:

All depositors are affected as the strategy cannot execute swaps, leading to a complete halt in operations.

Scenario 3: Unfavorable Trade Routes

Setup:

A route is added with parameters that facilitate trades at unfavorable rates, possibly involving a compromised or rogue pool.
Execution:

When swaps are executed, the strategy consistently receives less value in return, reducing yields.
Impact:

Users experience significant financial losses due to persistent inefficiencies in trade execution.

Impact Analysis

Severity: High

Financial Impact:

Unauthorized token swaps or unfavorable trade routes can lead to substantial fund losses.
Operational Impact:

Reverting routes or invalid configurations cause operational disruptions, affecting all depositors.
Reputational Impact:

Users lose trust in the protocol’s security and reliability, deterring adoption.

Root Cause Analysis

Lack of Input Validation:

The function does not verify whether the provided _route, _swapParams, and _pools correspond to safe or valid configurations.
Unlimited Privileges for Manager Role:

The Manager has unchecked authority to add routes, increasing the attack surface if compromised.

Mitigation Recommendations

1. Implement Comprehensive Input Validation

Pool Address Verification:
- Ensure all pool addresses in _pools are recognized and trusted within the Curve ecosystem.
require(isTrustedPool(_pools[i]), "Unrecognized pool address");
- Maintain a mapping of approved pools:
  
  mapping(address => bool) public trustedPools;
Route Length and Structure Validation:
- Check that _route and _swapParams conform to expected formats.
require(_route.length > 0 && _route.length <= 11, "Invalid route length");
require(_swapParams.length == _route.length - 1, "Invalid swap parameters");

2. Introduce a Whitelist Mechanism

Maintain a whitelist of approved pools and routers:

mapping(address => bool) public approvedPools;
function addPoolToWhitelist(address pool) external onlyGovernance {
approvedPools[pool] = true;
}
Reject any additions that do not conform to the whitelist:

require(approvedPools[_pools[i]], "Pool not approved");

Proof of Concept (PoC)

Reproducing the Issue

Deploy the contract and assign Manager privileges.
Add a route with a malicious pool address:

strategy.addRoute(
[maliciousPool, ...],
[validSwapParams],
[maliciousRouter, ...]
);
Invoke claimAndSwap with the malicious route, draining funds.

Verifying Mitigation

Implement pool address validation and whitelist checks.
Attempt to add a route with an unapproved pool or malformed parameters.
Observe that the transaction is reverted with a validation error.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.