Alchemix Transmuter

Description

Some ERC20 tokens include pausable functionality or blacklist capabilities, allowing certain addresses to be frozen or all transfers to be halted by an authorized party. If the asset or underlying tokens implement such features, the strategy might be unable to transfer tokens, leading to funds being locked within the contract.

Given that the strategy depends on transferring tokens to and from the transmuter and during swaps, any pausing or blacklisting could severely impede its operation.

Impact

• Funds Lockup: Assets could become irretrievable if the contract address is blacklisted.

• Operational Failure: The strategy might fail to execute critical functions, affecting deposits, withdrawals, and swaps.

• User Funds at Risk: Users may be unable to access their funds or experience significant delays.

Proof of Concept (PoC)

1. Scenario:

   • The asset token implements a blacklist feature.

   • The token's owner blacklists the strategy contract's address.

2. Outcome:

   • Any attempt to transfer asset tokens fails, reverting transactions.

   • Users cannot withdraw their funds from the strategy.

Recommendations

• Due Diligence on Tokens:

  • Before interacting with a token, ensure it does not have blacklisting or pausing features, or that such features are appropriately managed.

• Implement Fallback Mechanisms:

  • Prepare for scenarios where tokens become non-transferable by implementing emergency withdrawal functions that handle such cases.

• Check for Paused State Before Transfers:

  • If possible, integrate checks to determine if a token is paused before attempting transfers.

    function safeTransferAsset(address to, uint256 amount) internal {

    require(!isTokenPaused(asset), "Asset token is paused");

    asset.safeTransfer(to, amount);

    }