Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Route Index Validation in claimAndSwap() Function Allows Access to Uninitialized Storage.

teoslaf

Summary

The claimAndSwap function in the StrategyMainnet contract lacks validation for the _routeNumber parameter, potentially allowing access to uninitialized storage slots when attempting to execute swaps through Curve.

Vulnerability

Details In the claimAndSwap function, the contract attempts to access route data using an unchecked index:

While the function is protected by onlyKeepers, there's no validation that \_routeNumber is less than nRoutes, which could lead to accessing uninitialized storage slots.

function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
// ...
router.exchange(
routes[_routeNumber], // No validation that _routeNumber < nRoutes
swapParams[_routeNumber],
_amountClaim,
_minOut,
pools[_routeNumber],
address(this)
);
// ...
}

Impact

  • Could cause transaction reverts in unexpected ways

  • Makes the code rely on external contract behavior for validation

  • Poor error reporting for keepers when using invalid routes

Tools

Manual code review, Foundry

function test_claimAndSwapInvalidRoute() public {
uint256 claimAmount = 1e18;
vm.prank(keeper);
vm.expectRevert();
strategy.claimAndSwap(claimAmount, claimAmount * 2, 999);
}

Recommendations

Add explicit validation at the start of the function:

function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
require(_routeNumber < nRoutes, "Invalid route");
// ... rest of the function
}
Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.