Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

addRoute lacks validation leading to failed claimAndSwap calls

0xlandlady

Summary

The addRoute function in the StrategyMainnet contract lacks validation for route parameters and swap configurations, which could lead to failed swaps. The function should implement comprehensive validation checks for routes, swap parameters, and pool addresses to ensure swaps execute successfully.

Vulnerability Details

In the StrategyMainnet.sol contract, the addRoute function is used to configure swap routes for converting between underlying tokens and synthetic tokens. However, the current implementation lacks crucial validation checks:

The route configuration process:

function addRoute(

address[11] calldata _route,

uint256[5][5] calldata _swapParams,

address[5] calldata _pools

) external {

// No validation of route parameters

routes[nRoutes] = _route;

swapParams[nRoutes] = _swapParams;

pools[nRoutes] = _pools;

nRoutes++;

}

These routes are later used in critical swap operations:

function claimAndSwap(

uint256 _amountClaim,

uint256 _minOut,

uint256 _routeNumber

) external onlyKeepers {

// ...

router.exchange(

routes[_routeNumber],

swapParams[_routeNumber],

_amountClaim,

_minOut,

pools[_routeNumber],

address(this)

);

}

This can lead to:

Failed swaps during claimAndSwap execution

Impact

The vulnerability could result in:

Failed swaps causing strategy operations to be blocked
Potential denial of service if invalid routes prevent successful swaps
Keeper operations being disrupted due to failed route execution

Tools Used

Manual Review

Recommendations

Implement comprehensive validation in the addRoute function ensureing the input and output tokens are valid and that the swap params and pools are valid.

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.