Front-Running Risk in claimAndSwap Function Causes Function Failure
Summary
The claimAndSwap function can easily be DOS`ed by performing a swap to rebalance the alETH/Weth pool before the claimAndSwap function is called.
Vulnerability Details
The claimAndSwap function is designed to claim the underlying token (WETH) from the transmuter, swap it for the asset token (alETH), and deposit the asset token back into the transmuter. However, the function only executes the swap if the asset token (alETH) is priced lower than the underlying token (WETH). This logic creates a vulnerability where a user can easily front-run the claimAndSwap function by performing a swap to balance the alETH/WETH pool, thereby causing the function to fail.
If a user front-runs the claimAndSwap function by executing a swap that adjusts the alETH/WETH price ratio to remove the favorable conditions for the swap, the function’s condition is no longer met, and the swap fails. This prevents the function from executing as intended, disrupting its normal operation.
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L79
Impact
This vulnerability allows any user to stop the execution of the claimAndSwap function and hence prevent the reinvestment of the strategy's rewards gotten from the transmuter back in the transmutter, which will result in less rewards for users.
Tools Used
Manual Review
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.