Alchemix Transmuter

Summary

The function claimAndSwap allows a keeper to claim WETH from the transmuter, swap it for alETH, and deposit the alETH back into the transmuter. The _path parameter defines the swap route for exchanging WETH to alETH, which is intended to be through the Ramses Router. However, if this parameter is not properly validated, there is a risk of a malicious actor manipulating the swap path for their benefit, potentially enabling a sandwich attack or using a path that provides them with better rates at the expense of the contract.

Vulnerability Details

Malicious Swap Path: The _path argument allows the keeper to specify the route for the swap. Without validation, an attacker could manipulate the path to use inefficient or malicious routes, potentially resulting in poor exchange rates or enabling a sandwich attack.

Sandwich Attack: An attacker could exploit this vulnerability by controlling or manipulating the swap path to front-run and back-run the transaction, causing the contract to get a worse rate, thus profiting at the expense of the contract.

Impact

Severity: High. An attacker could manipulate the swap path and profit by exploiting inefficient paths or routing through malicious addresses.

Likelihood: Medium. If the contract does not validate the swap paths, it is possible for a malicious keeper or attacker to manipulate the path and execute a sandwich attack.

Impact on Contract: High. By using a bad route, the attacker could significantly reduce the profit from the swap or even cause a loss. This could be exploited by any malicious actor with the ability to manipulate the _path parameter.

Tools Used

Manual Review

Recommendations

Path Validation: Implement validation for the _path parameter to ensure that it only includes trusted routers. Maintain a whitelist of approved addresses or paths, and reject any invalid paths.