Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

`amountOut` larger than `amount` in `claimAndSwap` is not of enough protection

BugPull

Summary

The strategy's _swapUnderlyingToAsset function has insufficient price validation when swapping WETH to alETH, only requiring the output amount to be greater than input by 1 wei. This allows potential MEV exploitation and value extraction from the strategy.

Vulnerability Details

The vulnerability exists in the _swapUnderlyingToAsset function:

function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IRamsesRouter.route[] calldata _path) internal {

// TODO : we swap WETH to ALETH -> need to check that price is better than 1:1

require(minOut > _amount, "minOut too low");

uint256 underlyingBalance = underlying.balanceOf(address(this));

require(underlyingBalance >= _amount, "not enough underlying balance");

IRamsesRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);

}

The key issues are:

The function only requires minOut > _amount, meaning a swap returning just 1 wei more than input is considered valid
There's no oracle price validation despite TODO comment indicating it should check "price is better than 1:1"
The keeper can execute trades at minimal premium, potentially extracting value through MEV

Impact

Low severity impact as it allows:

Keepers to execute unfavorable trades for the strategy (keepers are trusted any ways, but further checks should be applied)
Value extraction through MEV sandwich attacks especially if sequencer got decentralized
Loss of value for strategy users since trades can execute at minimal premium instead of market rate premium

Tools Used

Manual code review

Recommendations

Implement oracle price validation:

function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IRamsesRouter.route[] calldata _path) internal {

uint256 oraclePrice = getOraclePrice(); // Get current WETH/alETH price

uint256 minAcceptableOut = (_amount * oraclePrice * 101) / (100 * 1e18); // 1% above oracle price

require(minOut >= minAcceptableOut, "insufficient output amount");

// ... rest of function

}

Add slippage protection parameters:

Minimum acceptable premium percentage
Maximum allowed deviation from oracle price
Configurable by management

Add events to track swaps and prices for monitoring

Updates

Lead Judging Commences

inallhonesty Lead Judge

8 months ago

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[INVALID]Lack of mechanism to ensure premium swaps

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.