Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

the attacker can steal the opportunity to swap at a premium from keepers.

wahedtalash77

Summary

Keepers call the claimAndSwap function when alETH is worth more than 1 WETH (e.g., 1 alETH = 1.01 WETH), aiming to take advantage of the premium. However, an attacker can exploit this by frontrunning the keepers' transaction with a tiny "dust" transaction.

Suppose that after the attacker's transactions executes, the price drops back to 1 alETH = 1 WETH or even lower by the time the keepers' transaction is processed. This enables the attacker to effectively steal the opportunity to swap at a premium.

Vulnerability Details

function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
require(_minOut > _amountClaim, "minOut too low");
router.exchange(
routes[_routeNumber],
swapParams[_routeNumber],
_amountClaim,
_minOut,
pools[_routeNumber],
address(this)
);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}

https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyMainnet.sol#L92

Impact

keepers won't be able to swap at a premium.

Recommendations

Use the get_dy function from Curve or similar pricing methods to estimate the swap's outcome before executing the transaction.

Updates

Lead Judging Commences

inallhonesty Lead Judge
8 months ago

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID]Lack of mechanism to ensure premium swaps

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.