Description

The protocol utilizes a decentralized exchange (DEX) for swaps, where WETH is claimed from the Transmuter. In this process, ALETH is initially deposited and converted into WETH, then converted back into ALETH. Subsequently, the ALETH is redeposited into the Transmuter, generating profits from the depeg between the ALETH/WETH pool. A malicious actor can exploit this mechanism by manipulating the token ratio in the pool through additional ALETH deposits, profiting the user.

Impact

The user may receive a lot tokens than expected, resulting in significant financial gains and loses to the protocol

Proof of Concept

1. Original ratio: 1 ALETH = 1 WETH.

2. Attacker’s action: The attacker monitors the keeper's transaction and frontruns it by depositing ALETH into the DEX ALETH/WETH pool, altering the ratio (e.g., 3 ALETH = 1 WETH).

3. Keeper’s transaction executed: The keeper's transaction proceeds with the updated ratio.

4. Keeper claims WETH: For example, the keeper claims WETH (e.g 30 WETH, 90 ALETH)

5. Redeployment: The function redeposits the ALETH into the Transmuter. (e.g 90 ALETH)

6. User’s gain: The user effectively receives a lot more tokens of the expected amount (e.g 90 ALETH), resulting in substantial profits.

7. Then, attacker redeem the money from the token pool, restoring ratios

8. User withdraw all the tokens, resulting on a substantial profit.

Tools Used

Manual review

Recommendations

• Implement price validation instead of token amount validation to prevent manipulation of conversion ratios.