Alchemix Transmuter

Summary

The StrategyMainnet contract has a vulnerability where once routes are added via the addRoute method, there is no built-in mechanism to revoke or freeze any problematic or malicious routes. This leaves the contract exposed to attackers and future issues with routes and administrators mistakenly adding malicious routes. Not having the ability to revoke or disable these routes could result in loss of funds or exploitation of the vulnerability.

Vulnerability Details

https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyMainnet.sol#L56

In the StrategyMainnet contract, new routes can be added via the addRoute method. While this method is limited to management roles (via the onlyManagement modifier), once routes are added, the contract does not provide any way to remove or disable them. If a route becomes problematic after a period of use, or a malicious attacker gains control of a management role, malicious routes could be injected. Additionally, if an added route points to a vulnerable contract or liquidity pool, the lack of a revocation or freeze function means that these issues cannot be quickly resolved.

The root cause of this issue is that the contract does not provide a clear way to remove or freeze routes, resulting in an inability to manage or revoke these unsafe routes, which could result in significant losses.

Impact

Loss of funds: If a malicious or controlled route is added, funds may be transferred to an address controlled by the attacker or a compromised contract, causing severe financial losses.
Operational risk: If the added route causes liquidity problems or market instability, it may cause transaction failures or excessive slippage, resulting in loss of user funds.

Tools Used

Manual review

Recommendations

Implement removeRoute method, add a method that allows to remove a specific route, such as removeRoute(uint256 routeId). This method should remove the route from the routes map, ensuring it is no longer used.
Add freezeRoute method, introduce a freezeRoute(uint256 routeId) method to temporarily disable a route. This method can mark a route as "frozen" to prevent it from being used in exchanges or other interactions.
Introduce multi-signature control: Consider using multi-signature wallets or multiple management roles to ensure that the addition, modification, or deletion of routes requires consensus from trusted parties, thereby reducing the risk of a single malicious actor manipulating the route.