Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Valid

Hardcoded Curve Router Address In ` Creates Immutable Dependency Risk

0xmaxi

Summary

The strategy contract hardcodes the ICurveRouterNG address without any ability to update it, creating a critical point of failure if the router contract is ever upgraded or migrated.

Vulnerability Details

In _initStrategy(), the router address is hardcoded:

function initStrategy() internal {

router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);

underlying.safeApprove(address(router), type(uint256).max);

}

Key issues:

Router address is immutably set during initialization
No functionality exists to update the router address
Unlimited approval is given to the hardcoded address
No way to revoke approval if router becomes deprecated

Impact

If Curve upgrades their router infrastructure:

Strategy's claimAndSwap() functionality will break
WETH claimed from transmuter cannot be swapped back to alETH
Unlimited approval remains with old router address
Strategy would need complete redeployment to fix

The severity is HIGH because:

Core strategy functionality depends on router working
No mitigation path exists besides redeployment
User funds could become trapped in an unusable state

Tools Used

Manual review

Recommendations

Implement router address management functionality:

address public router;

address public pendingRouter;

uint256 public constant ROUTER_DELAY = 2 days;

uint256 public routerChangeInitiated;

function initiateRouterChange(address newRouter) external onlyManagement {

pendingRouter = newRouter;

routerChangeInitiated = block.timestamp;

}

function executeRouterChange() external {

require(block.timestamp >= routerChangeInitiated + ROUTER_DELAY, "Delay not met");

// Revoke old approval

underlying.safeApprove(address(router), 0);

// Update router

router = pendingRouter;

// Approve new router

underlying.safeApprove(address(router), type(uint256).max);

// Reset state

pendingRouter = address(0);

routerChangeInitiated = 0;

}

This provides:

Controlled router address updates
Time-delayed changes for security
Proper approval management
Long-term strategy maintainability

Updates

Appeal created

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Cannot Set A New Router In `StrategyMainnet.sol`

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.