Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy Risk in `StrategyOp::claimAndSwap` Function, might lead to unauthorized manipulation of the contract's state and potential loss of funds.

affanimran1303

Summary:

The StrategyOp::claimAndSwap function calls external contracts (transmuter.claim and _swapUnderlyingToAsset) before updating the contract's state. This could potentially allow reentrancy attacks if the external contracts call back into the contract.

Vulnerability Details:

  • Severity: HIGH

  • Explanation: The claimAndSwap function calls external contracts, that are:

    1. transmuter.claim,

    2. _swapUnderlyingToAsset

    These external calls are being made before updating the contract's state which might potentially allow reentrancy attacks if the external contracts call back into the contract.

Impact:

Reentrancy attacks could lead to unauthorized manipulation of the contract's state and potential loss of funds.

Tools Used:

Manual Testing

Recommendations:

  1. Use the Checks-Effects-Interactions (CEI) pattern by updating the contract's state before making external calls.

  2. Alternatively, use the ReentrancyGuard modifier from OpenZeppelin.

contract StrategyOp is BaseStrategy, ReentrancyGuard {
// ... existing code ...
function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IVeloRouter.route[] calldata _path) external onlyKeepers nonReentrant {
// ... existing code of function...
}
//...existing code...
Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.