Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Reentrancy Vulnerability via Untrusted router Contract

galturok

Summary

The contract allows management to update the router address without validation, and grants it infinite approval to spend underlying tokens. If the router is set to a malicious contract, it can exploit reentrancy vulnerabilities during token swaps, leading to unauthorized operations and potential loss of funds.

Vulnerability Details

  • Unrestricted Router Update:

    • The setRouter function lets the management set the router to any address without validation.

function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}

  • Infinite Approval Granted to New Router:

    • Upon updating, the new router receives infinite approval to spend underlying tokens.

    • If the new router is malicious, it can misuse this allowance.

  • External Calls Without Reentrancy Protection:

    • The swapExactTokensForTokens function is called on the router without reentrancy guards.

IRamsesRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);

  • Reentrancy Risk:

    • A malicious router can call back into the strategy contract during the swap.

    • This can manipulate the contract's state, leading to unauthorized fund transfers.

Impact

  • Loss of Funds:

    • An attacker can drain the strategy's funds through reentrancy attacks.

  • Unauthorized Operations:

    • The attacker can manipulate contract state, affecting balances and operations.

  • System Integrity Compromised:

    • Trust in the strategy is undermined, potentially affecting all stakeholders.

Proof of Concept (POC)

  1. Attack Preparation:

    • The attacker deploys a malicious router contract (EvilRouter) with a swapExactTokensForTokens function that performs a reentrant call.

  2. Router Update Exploit:

    • The attacker, having the onlyManagement role, calls setRouter to set the router to EvilRouter.

    • Infinite approval is granted to EvilRouter.

  3. Triggering the Attack:

    • When claimAndSwap is called, it invokes EvilRouter.swapExactTokensForTokens.

  4. Reentrancy Execution:

    • EvilRouter performs the swap and then re-enters the strategy contract.

    • It calls sensitive functions (e.g., withdraw functions) before the initial call completes.

  5. Outcome:

    • Funds are transferred out of the strategy contract to the attacker's address.

    • The strategy contract's state is left inconsistent.

Recommendations

  • Implement Reentrancy Guards:

    • Use OpenZeppelin's ReentrancyGuard to prevent reentrant calls in functions that involve external interactions.

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
contract StrategyArb is BaseStrategy, ReentrancyGuard {
// ...
function claimAndSwap(...) external onlyKeepers nonReentrant {
// Function body
}
}
Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
galturok Submitter
8 months ago
inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.