Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Potential Liquidity Issues Due to Overinvestment

galturok

Description

In the claimAndSwap function, after swapping WETH (underlying) to alETH (asset), the strategy deposits all of its alETH balance back into the transmuter without considering existing alETH balances that may be needed for withdrawals.

function claimAndSwap(

uint256 _amountClaim,

uint256 _minOut,

IVeloRouter.route[] calldata _path

) external onlyKeepers {

transmuter.claim(_amountClaim, address(this));

uint256 balBefore = asset.balanceOf(address(this));

_swapUnderlyingToAsset(_amountClaim, _minOut, _path);

uint256 balAfter = asset.balanceOf(address(this));

require((balAfter - balBefore) >= _minOut, "Slippage too high");

// Depositing all asset balance, including any existing assets

transmuter.deposit(asset.balanceOf(address(this)), address(this));

}

By depositing the entire alETH balance, including funds that may be required for user withdrawals, the strategy may become illiquid and unable to fulfill withdrawal requests promptly.

Impact

Withdrawal Delays: Users may experience delays or inability to withdraw their funds due to insufficient liquid alETH in the strategy.
User Dissatisfaction: Withdrawal issues can lead to loss of user confidence and trust in the strategy.
Potential Losses: In volatile market conditions, inability to withdraw funds promptly could result in financial losses for users.

Proof of Concept (PoC)

Scenario:
- The strategy has an existing balance of alETH available for withdrawals.
- After a claimAndSwap operation, all alETH, including the existing balance, is redeposited into the transmuter.
Effect:
- Users attempting to withdraw funds find that the strategy lacks sufficient liquid alETH to fulfill withdrawal requests.
- The strategy must wait for the transmuter to release funds, causing delays.
Consequence:
- Immediate withdrawal requests fail or are delayed.
- Users may face financial losses, especially if they intended to convert alETH in response to market changes.

Recommendations

Deposit Only Swapped Amount:
Modify the claimAndSwap function to deposit only the newly acquired alETH from the swap:

function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
IVeloRouter.route[] calldata _path
) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));

_swapUnderlyingToAsset(_amountClaim, _minOut, _path);

uint256 balAfter = asset.balanceOf(address(this));

uint256 swappedAmount = balAfter - balBefore;
require(swappedAmount >= _minOut, "Slippage too high");

// Deposit only the swapped alETH amount
transmuter.deposit(swappedAmount, address(this));
}

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.