Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Slippage Protection in `StrategyOp::claimAndSwap`, function checks balance AFTER a swap.

affanimran1303

Summary:

The StrategyOp::claimAndSwap function checks if the balance after the swap is greater than or equal to _minOut. However, this check is done after the swap, which means if the slippage is too high, the transaction will revert, but the gas cost will still be incurred.

Vulnerability Details:

Severity: LOW
Explanation: The claimAndSwap function checks if the balance after the swap is greater than or equal to _minOut. This check is performed after the swap, meaning that if the slippage is too high, the transaction will revert, but the gas cost will still be incurred.

Impact:

Users may incur unnecessary gas costs if the slippage is too high.

Tools Used:

Manual Testing

Recommendations:

Implement a slippage check before executing the swap to avoid unnecessary gas costs.

To check the slippage before executing the swap, we have to update the StrategyOp::claimAndSwapfunction, as below:

function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IVeloRouter.route[] calldata _path) external onlyKeepers nonReentrant {

transmuter.claim(_amountClaim, address(this));

// Check slippage before swap

uint256 expectedOut = getExpectedOut(_amountClaim, _path);

require(expectedOut >= _minOut, "Slippage too high");

// Swap underlying to asset

uint256 balBefore = asset.balanceOf(address(this));

_swapUnderlyingToAsset(_amountClaim, _minOut, _path);

uint256 balAfter = asset.balanceOf(address(this));

require((balAfter - balBefore) >= _minOut, "Slippage too high");

transmuter.deposit(asset.balanceOf(address(this)), address(this));

}

function getExpectedOut(uint256 _amountIn, IVeloRouter.route[] calldata _path) internal view returns (uint256) {

// Implement logic to get expected output amount from the swap

// should be replaced with actual logic

return _amountIn; // Replace this with the actual expected output calculation

}

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.