Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unrestricted Router Approval by Malicious Management Enables Complete Asset Drain

unu5464

Summary

The protocol's setRouter function, accessible by the onlyManagement role, allows the management to update the router address and set an unlimited token approval (type(uint256).max) for the new router. If the management address is compromised or operated maliciously, it could approve a malicious router that drains all WETH.

Vulnerability Details

The setRouter function enables management to change the router address and set an unlimited approval for that router to access the contract's assets WETH.
There are no checks or restrictions on the validity of the new router address.

Impact

Complete Loss of Funds: All WETH held by the Transmuter contract could be stolen, resulting in severe financial loss for the protocol and its users.

Tools Used

Recommendations

Limit Approvals:
Avoid setting unlimited approvals (type(uint256).max) to any address. Use minimal, transaction-specific approvals instead.

function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IRamsesRouter.route[] calldata _path) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
+ underlying.safeApprove(router, _amountClaim);
balBefore = asset.balanceOf(address(this)); // asset is alETH
_swapUnderlyingToAsset(_amountClaim, _minOut, _path);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.