Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

StrategyArb.claimAndSwap Vulnerable to MEV and Susceptible to Reverts Due to Missing Claim Check

0xnatachi

Summary

The StrategyArb contract's claimAndSwap function exhibits two vulnerabilities. The first is a susceptibility to MEV attacks due to reliance on balanceOf for post-swap balance calculation. The second is the absence of a check to ensure the claim amount doesn't exceed the available claimable balance from the transmuter.

Vulnerability Details

The claimAndSwap function's logic is as follows:

Claims underlying (WETH) from the transmuter using transmuter.claim(_amountClaim, address(this)).
Records the asset (aLETH) balance before the swap: uint256 balBefore = asset.balanceOf(address(this));.
Executes the swap of underlying to asset using _swapUnderlyingToAsset.
Records the asset balance after the swap: uint256 balAfter = asset.balanceOf(address(this));.
Performs a slippage check: require((balAfter - balBefore) >= _minOut, "Slippage too high");.
Deposits the current asset balance back into the transmuter: transmuter.deposit(asset.balanceOf(address(this)), address(this));.

Two distinct vulnerabilities are present:

balanceOf Manipulation : The time elapsed between steps 4 and 6 creates a window of opportunity for attackers. By frontrunning the claimAndSwap transaction with a transfer of asset into the contract or backrunning with a transfer of asset out of the contract, an attacker can manipulate the balAfter value. This affects the slippage check (step 5) and the final deposit (step 6), potentially allowing the attacker to profit at the expense of the strategy.
Missing Claimable Amount Check (CWE-691): The function lacks a check to ensure _amountClaim is within the actual claimable balance provided by the transmuter via transmuter.getClaimableBalance(address(this)). This can lead to transaction reverts if a keeper attempts to claim more than is available, corresponding to CWE-691 (Unchecked Return Value).

Impact

Financial Loss: MEV attack can directly extract value from the strategy, resulting in financial losses for users.

Transaction Reverts: Attempting to claim more than the available balance will cause transactions to revert, disrupting the strategy's operation.

Tools Used

Manual Review

Recommendations

Capture Swapped Amount Directly: This addresses the balanceOf manipulation vulnerability. By capturing the return value of swapExactTokensForTokens, the contract obtains the precise amount of asset received, preventing manipulation.
Add Claimable Amount Check (Prevents Reverts): This directly addresses the missing check vulnerability. By verifying that _amountClaim is within the available claimable balance, the contract prevents reverts.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.