Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Potential Router Misconfiguration Risk

nitinaimshigh

Summary

The setRouter function allows the management to update the router address used for token swaps (WETH to alETH) via the VeloRouter. If misused or maliciously controlled, a rogue router could lead to unexpected token swaps, potentially resulting in the loss of funds or unfair manipulation of token prices.

Vulnerability Details

function setRouter(address \_router) external onlyManagement {

router = \_router;\

underlying.safeApprove(router, type(uint256).max);\

}

The setRouter function is permissioned, only accessible by management. However, if the management account is compromised or poorly managed, an attacker could change the router address to a malicious contract.

This allows the strategy to swap tokens at malicious rates or direct tokens to an unauthorized address, causing loss of assets or manipulated swap conditions.
The router address is approved with unlimited spending, increasing the risk of unauthorized transactions if the router is changed to a rogue contract.

Impact

Severity: High

Likelihood: Medium

Impact: High

Proof of Concept (PoC):

Attacker Gains Control Over Management Role
Exploiting the Vulnerability: After the attacker becomes the manager, they can call setRouter to change the router address to one of their choosing, enabling them to potentially redirect all asset swaps or transactions to a malicious contract.

Example PoC:

// Assume the attacker has control over the management role

contract Attacker {

address public strategyOpAddress = <STRATEGY_CONTRACT_ADDRESS>;

// Assume attacker has the management role

function exploit() external {

StrategyOp strategyOp = StrategyOp(strategyOpAddress);

// Set the malicious router address

address maliciousRouter = <MALICIOUS_ROUTER_ADDRESS>;

// Call the setRouter function with malicious router address

strategyOp.setRouter(maliciousRouter);

// Now the malicious router can interact with the contract and potentially steal funds.

}

Attack Flow:

The attacker, having control over the management role, calls setRouter to replace the legitimate router address with a malicious router address.
Once the router is changed, the malicious router could:
- Redirect asset transfers to the attacker's wallet.
- Manipulate swaps or other financial operations within the strategy.

Tools Used

Manual Review

Recommendations

Multi-sig Control: Use a multi-signature wallet for the management role that has control over the router address. This will require multiple approvals before any router update can be made, reducing the risk of a single compromised key.
Time-lock for Changes: Implement a time-lock on changes to the router address. This gives stakeholders time to react in case of suspicious activity before the change takes effect.
Pre-Approval Checks: Before changing the router, ensure that it is validated against a list of known and approved routers, possibly using a registry pattern.
Revoke Unused Approvals: After the router is updated, ensure that the old router has its approvals revoked. This will prevent the old router from continuing to interact with the contract after it is replaced.

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.