Alchemix Transmuter

Summary

The claimAndSwap function in the StrategyMainnet contract does not validate the _routeNumber parameter, allowing potential out-of-bounds access to route mappings. This could result in transaction reverts, operational disruption, or unintended fund handling. Mitigations include strict validation of route indices and fallback mechanisms to prevent contract reversion.

Technical Details

Root Cause

The function directly uses the _routeNumber parameter to access routes, swapParams, and pools mappings without ensuring the parameter is within the valid range of existing routes. This lack of validation opens the function to edge cases where invalid indices could disrupt operations or lead to unexpected behaviors.

Vulnerable Code

Why This Matters

• Direct Access Risk: The routes[_routeNumber], swapParams[_routeNumber], and pools[_routeNumber] mappings rely on _routeNumber for indexing. If _routeNumber exceeds nRoutes, the contract may revert or access unintended storage.

• Lack of Graceful Handling: Out-of-bounds access does not have fallback mechanisms, making the system brittle to invalid inputs.

Attack Scenarios

Scenario 1: Transaction Reversion

1. Setup: An attacker calls claimAndSwap with _routeNumber greater than the number of defined routes (nRoutes).

2. Execution: The function attempts to access non-existent indices in routes, causing a revert.

3. Impact: Repeated invalid calls lead to transaction failures, disrupting the protocol's functionality and creating user frustration.

Scenario 2: Potential State Corruption

1. Setup: Due to edge cases or unforeseen storage layouts, an invalid _routeNumber may unintentionally access unrelated storage slots.

2. Execution: The contract operates on invalid data or unintentionally overwrites storage.

3. Impact: This could result in unpredictable behavior, leading to incorrect fund swaps or state corruption.

Impact

1. Financial Impact: Potential for mismanaged funds due to invalid route handling.

2. Operational Impact: Disruption of normal operations caused by transaction reverts or invalid swaps.

3. Reputational Impact: Poor handling of basic parameter validation undermines trust in the protocol’s robustness.

Mitigation Recommendations

1. Route Number Validation

• Add checks to ensure _routeNumber is within the bounds of defined routes (nRoutes):

  require(_routeNumber < nRoutes, "Invalid route number");

  ​

2. Default Route Fallback

• Implement a fallback mechanism to handle invalid _routeNumber gracefully:

  uint256 validRoute = _routeNumber < nRoutes ? _routeNumber : 0; // Fallback to default route

  router.exchange(

  routes[validRoute],

  swapParams[validRoute],

  _amountClaim,

  _minOut,

  pools[validRoute],

  address(this)

  );

  ​

Proof of Concept (PoC)

Steps to Reproduce:

1. Deploy the StrategyMainnet contract with predefined routes (nRoutes = 3).

2. Call claimAndSwap with _routeNumber = 5.

3. Observe a transaction revert due to out-of-bounds mapping access.

Mitigation Validation:

1. Add the recommended require validation to the function.

2. Repeat the invalid call with _routeNumber = 5.

3. Observe that the function now gracefully handles the error by reverting with a meaningful message.