Alchemix Transmuter

Summary

The StrategyArb.sol and StrategyOp.sol contracts allow changing DEX routers through a setRouter function, but the claimAndSwap functions are hardcoded to specific DEX interfaces (Ramses and Velodrome). This creates a mismatch between the protocol's ability to change routers and its ability to actually use new routers with different interfaces.

Vulnerability Details

Here is the setRouter function that allows for a DEX change:
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L48
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L42

Here is the code that will fail in case of a router change:
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L102
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L87

The issue arises because:

• The route parameter types are hardcoded to specific DEX interfaces (IRamsesRouter/IVeloRouter)

• Different DEXs may have different route parameter structures

• The setRouter function allows changing to any router address, but the interface remains fixed

Impact

If management needs to change to a different DEX router (e.g., due to better liquidity or the current DEX being deprecated):

• The claimAndSwap function will fail due to interface incompatibility

• This would break the strategy's ability to swap claimed tokens back to the asset

• The protocol would need to deploy a new strategy contract instead of using the router upgrade functionality

Tools Used

Manual Review

Recommendations

You can use the call function and pass encurypted bytes data, so if the router is changed, it will work with anyone of them.