Alchemix Transmuter

Summary

The setRouter and addRoute functions in the contract accept external inputs without proper validation or safeguards. This oversight permits malicious or erroneous configurations that can halt the strategy's operations. A misconfigured or malicious router can prevent essential functions like claimAndSwap, leading to operational halts, financial discrepancies, and user trust erosion.

Technical Details

Root Cause

The setRouter function allows the Manager to set any address as the router without validation. If the router contract reverts during operations (e.g., token transfers), the strategy becomes inoperative. Similarly, the addRoute function can accept invalid or malicious routes, compounding the risk of operational disruptions.

Vulnerable Code

Why This Matters

Router Misconfiguration: Setting a router to a malicious or broken contract halts core operations like claimAndSwap.

Trust Erosion: Users unable to realize yields or withdraw funds lose confidence in the protocol.

Financial Discrepancies: Failed operations disrupt fund accounting and yield distributions.

Attack Scenarios

Scenario 1: Malicious Router Replacement

1. Setup: A malicious Manager sets the router to a contract that reverts on swapExactTokensForTokens calls.

2. Execution: Any subsequent calls to claimAndSwap fail, as the router cannot execute swaps.

3. Impact: The strategy halts, preventing yield generation and affecting user withdrawals.

Scenario 2: Route Addition with Invalid Parameters

1. Setup: A malicious or compromised Manager uses addRoute to introduce a route with invalid or malicious parameters.

2. Execution: When the invalid route is used during swaps, transactions fail or misdirect funds.

3. Impact: Users experience failed transactions, financial losses, or reduced yields.

Scenario 3: DoS through Gas-Intensive Router

1. Setup: A router is set that contains gas-heavy operations, causing transactions to exceed block gas limits.

2. Execution: Any interaction with the router fails due to excessive gas consumption.

3. Impact: The strategy becomes unusable, and users are unable to withdraw or manage their funds.

impact

1. Operational Risk: Halting critical functions like claimAndSwap disrupts yield generation and fund management.

2. Financial Risk: Users may experience reduced yields or losses due to operational failures.

3. Reputational Risk: The protocol's integrity is undermined, resulting in user attrition and negative market perception.

Recommendations

1. Implement Router Whitelisting

Maintain a whitelist of approved router addresses.

• Enforce validation to ensure the new router address matches a pre-approved entry:

  require(isWhitelistedRouter(_router), "Router not whitelisted");

  ​

2. Require Multi-Signature Approvals

Protect critical functions like setRouter and addRoute with multi-signature authentication, reducing the risk of unilateral malicious changes.

3. Introduce a Timelock Mechanism

Apply a delay between proposing a new router and its activation to allow for review and rollback if malicious intent is detected.

Proof of Concept (PoC)

Steps to Reproduce the Vulnerability:

1. Deploy the StrategyOp contract.

2. Call setRouter with a contract that always reverts on token transfers.

3. Attempt to execute claimAndSwap.

4. Observe the failure due to the router’s reversion.

Expected Fix Behavior:

1. Implement router whitelisting and validation.

2. Retry the attack with the malicious router.

3. Observe the transaction revert with a validation error, preventing the router change.