Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

Funds held by strategies would be locked permanently

kodyvim

Summary

There's no means to remove funds from strategies

Vulnerability Details

Within the protocol funds could be receive by a strategies to be deposited into transmuter.
https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L71

function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IRamsesRouter.route[] calldata _path) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
...Snip..
@>transmuter.deposit(asset.balanceOf(address(this)), address(this));
}

The issue is that within the protocol there's no means to transfer/approve funds out of any strategy. Even when looking at _emergencyWithdraw() which illustrates they need to withdraw funds it calls _freeFunds().
https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L112

function _freeFunds(uint256 _amount) internal override {
uint256 totalAvailabe = transmuter.getUnexchangedBalance(address(this));
if (_amount > totalAvailabe) {
transmuter.withdraw(totalAvailabe, address(this));
} else {
transmuter.withdraw(_amount, address(this));
}
}

but _freeFunds does not send these funds to anyone it still stays at the contract.

Same issue common among other strategies.

Impact

Funds held by strategies would be stucked permanently

Tools Used

Manual Review

Recommendations

Implement a means to remove funds from the strategies with appropriate access control.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.