Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

StrategyOp::_initStrategy is inadvertently exposed through public or external functions due ro lack of access control

web3mio

Summary

If the _initStrategy function is inherited by a malicious contract, the router address might be manipulated and could be catastrophic.

function _initStrategy() external {

// Ensure this calls the parent implementation but attempts to manipulate state

router: 0x0000000000000000000000000000000000000001

super._initStrategy()

}

Vulnerability Details

The _initStrategy function assigns a specific router address and calls safeApprove to approve the router for interacting with the underlying token.

The function is internal, meaning it can only be called by the contract or inherited contracts. However, if _initStrategy is inadvertently exposed through public or external functions, it could be misused to overwrite the router or execute unexpected behavior.

**POC**

function test_initStrategy() external {

// Initialize the strategy

vm.startPrank(address(this)); // Act as the contract owner or deployer

strategyOp._initStrategy();

address initialRouter = strategyOp.getRouter();

console.log("Initialized router:", initialRouter);

assertEq(initialRouter, EXPECTED_ROUTER, "Router was not set correctly during initialization");

vm.stopPrank();

// Simulate malicious interaction with mockCall

vm.startPrank(address(malicious));

// Mock the router address manipulation during the _initStrategy call

vm.mockCall(

address(strategyOp), // Target contract

abi.encodeWithSignature("_initStrategy()"), // Function signature

abi.encode(0x0000000000000000000000000000000000000001) // Malicious router address to be returned

);

// malicious._initStrategy();

address manipulatedRouter = strategyOp.getRouter();

console.log("Manipulated router:", manipulatedRouter);

// Ensure the router does not match the expected router after manipulation

assertNotEq(manipulatedRouter, EXPECTED_ROUTER, "Router should not match after malicious manipulation");

vm.stopPrank();

}

Impact

The network is prone to unexpected behavior if the router is successfully manipulated via susceptible external/public functions.

Tools Used

Manual Review & foundry Test suite.

Recommendations

The _initStrategy function should be protected with access control mechanisms.

Updates

Lead Judging Commences

inallhonesty Lead Judge

8 months ago

Appeal created

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.