Manipulated exchange rate
Summary
Malicious keeper is able to bypass the exchange rate check in claimAndSwap function in StrategyArb contract. The keeper is able to do so by directly interacting with Ramses router contract.
Vulnerability Details
claimAndSwap function invokes the internal function called _swapUnderlyingToAsset.
_swapUnderlyingToAsset function has a check to ensure that the keeper will swap tokens on better rate than 1:1. However, if the malicious keeper interact directly with Ramses Router he will be able to bypass this check and will swap tokens at bad rate.
The check which can be bypassed:
The vulnerable code:
https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L84
Ramses Router
Ramses Router contract:
https://arbiscan.io/address/0x0e216dd4f1b5ea81006d41b79f9a1a69a38f3e37#code
If you look at the function called swapExactTokensForTokens in Ramses Router you will see that the malicious keeper can pass bad amountOutMin and manipulate exchange rate by this way.
Impact
Users will lose part of their funds, because the exchange rate will be bad than 1:1, so the Strategy will lose some of the funds.
Tools Used
Manual Review
Recommendations
Approve keepers to transfer tokens just for a single transaction. When the transaction is successful set approved tokens back to 0.
By implementing this solution keepers won't be able to interact directly with the Ramses Router, because the tx will revert.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.