Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Complex Route Management and Mapping

isanctuary

Summary

The StrategyMainnet contract manages swap routes through a complex and flexible mapping system, increasing risks associated with misconfiguration, storage collisions, and excessive gas consumption. These vulnerabilities can lead to operational disruptions, failed swaps, or potential fund mismanagement.

Effective mitigation strategies include limiting route complexity, validating input data, and maintaining a whitelist of trusted pools.

Code Reference

The addRoute function enables the addition of new swap routes, managed via mappings:

mapping(uint256 => address[11]) public routes;
mapping(uint256 => uint256[5][5]) public swapParams;
mapping(uint256 => address[5]) public pools;
uint256 public nRoutes = 0;
function addRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) external onlyManagement {
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++;
}

Problems:

  1. Route Mismanagement:

    • Lack of validation for _route, _swapParams, and _pools increases the risk of adding invalid or malicious configurations.

    • Potential for overlapping or conflicting routes due to unbounded route additions.

  2. Storage Collisions and Gas Costs:

    Continuously increasing nRoutes without limits can lead to storage inefficiencies and excessive gas consumption for transactions involving large arrays.

  3. Data Corruption:

    Errors in index handling can overwrite or corrupt route data, leading to operational failures or unintended behaviors.

Exploitation Scenarios

Scenario 1: Malformed Routes Leading to Failed Swaps

  1. Setup:

    The Manager adds a route with an invalid token sequence or an incorrect pool address.

  2. Execution:

    When the route is used in a swap, the invalid configuration causes the transaction to fail or revert.

  3. Impact:

    • Users experience delays or failed withdrawals.

    • Yield generation is disrupted, impacting returns for all participants.

Scenario 2: Malicious Route Introduction

  1. Setup:

    A malicious or compromised Manager adds a route where one of the pool addresses points to an attacker-controlled contract.

  2. Execution:

    When the route is used, the malicious contract drains funds through unauthorized token transfers or manipulates prices.

  3. Impact:

    • Direct loss of user funds.

    • Reputational damage to the protocol.

Scenario 3: Gas Exhaustion from Excessive Routes

  1. Setup:

    The Manager repeatedly adds routes with large arrays, increasing the size and complexity of the mappings.

  2. Execution:

    Operations involving the mappings (e.g., swaps, route audits) consume excessive gas, causing transaction failures or delays.

  3. Impact:

    • Operational inefficiencies and higher costs for users and the protocol.

Impact Analysis

  1. Financial Impact:

    Failed swaps or malicious routes can lead to direct loss of funds or reduced yields.

  2. Operational Impact:

    Excessive gas consumption disrupts transaction execution, impacting protocol efficiency.

  3. Reputational Impact:

    Loss of user trust due to operational failures or fund mismanagement.

**Root Cause **

  1. Lack of Input Validation:

    • _route, _swapParams, and _pools are not validated before being added to the mappings.

  2. Unbounded Route Additions:

    • No limits on the number of routes or the size of arrays, leading to storage and gas inefficiencies.

  3. Absence of Safety Mechanisms:

    • No safeguards against overlapping or conflicting routes.

Mitigation Recommendations

1. Input Validation for Route Data

Mechanism:

  • Validate _route to ensure each address represents a valid token.

  • Check _pools against a whitelist of approved pool addresses.

  • Verify the format and length of _swapParams to match expected configurations.

function validateRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) internal view {
for (uint256 i = 0; i < _pools.length; i++) {
require(isApprovedPool(_pools[i]), "Invalid pool address");
}
// Additional validation logic
}

2. Implement Route Limits

Mechanism:

  • Restrict the number of routes and the size of arrays to prevent excessive resource consumption.

uint256 public constant MAX_ROUTES = 100;
function addRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) external onlyManagement {
require(nRoutes < MAX_ROUTES, "Route limit exceeded");
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++;
}

3. Automate Route Verification

  • Mechanism:

    • Integrate automated checks to validate routes during addition and before swaps.

Proof of Concept (PoC)

Reproducing the Issue

  1. Deploy the StrategyMainnet contract.

  2. Add routes with invalid token sequences or malicious pool addresses.

  3. Observe the operational impact during swaps or other route-dependent functions.

Verifying Mitigation

  1. Deploy a modified contract with input validation and route limits.

  2. Attempt to add invalid or excessive routes.

  3. invalid routes are rejected and resource consumption remains efficient.

Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.