Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential Swap Failure Due to Incompatible Router Updates

bshyuunn

01. Relevant GitHub Links

02. Summary

Both StrategyArb and StrategyOp contracts include a setRouter(address _router) function that allows management to replace the router address used for token swaps. In addition to patching potential router vulnerabilities or upgrading to new router versions, the function is also used to switch decentralized exchanges (DEX) entirely. However, if the newly set router’s swap function differs from the one the contract expects—for example, if it no longer exposes or uses the same function signature (swapExactTokensForTokens(...))—it can inadvertently break the swapping mechanism. As a result, calls to swapExactTokensForTokens may fail, preventing the contract from performing token swaps and thereby making functions like claimAndSwap inoperable if the router is not correctly updated.

03. Vulnerability Details

1. Router Replacement

Both contracts provide a function setRouter restricted to onlyManagement. This function updates the router address and sets an infinite token allowance to the new router.

function setRouter(address _router) external onlyManagement {

router = _router;

underlying.safeApprove(router, type(uint256).max);

}

2. Incompatible Function Signature

Inside StrategyArb (and similarly in StrategyOp), the function _swapUnderlyingToAsset calls:

IRamsesRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);

If the newly set router’s contract does not expose the swapExactTokensForTokens(uint256, uint256, route[] calldata, address, uint256) function in the exact same signature, calls to this function will revert. Consequently:

The contract cannot perform necessary swaps.
The claimAndSwap function, which depends on this swap, fails.

Impact on Claim Functionality

The claimAndSwap function is the only way to claim WETH from the transmuter and swap it to alETH within the strategy. If swapping fails due to an invalid or incompatible router address, the contract is effectively unable to claim and swap tokens, causing a denial-of-service condition for this functionality.

04. Impact

Denial of Service (DOS): Management can unintentionally introduce a DOS if a router is set to an incompatible contract.
Loss of Yield: If the contract cannot swap WETH into alETH, it cannot take advantage of potential premium swaps, losing possible yield or arbitrage opportunities.
Operational Risk: While restricted to management, any mistake or malicious action (in the worst case) results in a broken workflow that requires a contract upgrade or re-deployment to fix.

05. Tools Used

Manual Code Review and Foundry

06. Recommended Mitigation

Allow Custom Calldata for Router Calls

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.