Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Transmuter State Validation Can Disrupt Strategy Operations

invcbull

Summary

The _deployFunds and _freeFunds functions in the StrategyOp contract do not validate the operational state of the transmuter contract. If the transmuter is paused or malfunctioning, these functions will revert, disrupting fund deployments and withdrawals. Although user funds remain secure, this can lead to delayed access and missed yield opportunities, undermining the strategy's reliability.

Vulnerability Details

The StrategyOp contract relies on the transmuter for key functionalities, such as deploying funds and freeing funds for withdrawal. However, there are no checks for the transmuter's state (e.g., paused or in maintenance) before invoking critical calls like transmuter.deposit and transmuter.withdraw.

If the transmuter is paused:

Deposits via _deployFunds will fail, leaving funds idle and unutilized.
Withdrawals via _freeFunds will revert, preventing users from accessing their assets

Code References

**In _deployFunds: **No check is made for the transmuter’s state before calling transmuter.deposit.

function _deployFunds(uint256 _amount) internal override {
transmuter.deposit(_amount, address(this));
}
**In _freeFunds: **No validation is performed before calling transmuter.withdraw.

function _freeFunds(uint256 _amount) internal override {
uint256 totalAvailabe = transmuter.getUnexchangedBalance(address(this));
if (_amount > totalAvailabe) {
transmuter.withdraw(totalAvailabe, address(this));
} else {
transmuter.withdraw(_amount, address(this));
}
}
- The function assumes transmuter.withdraw will always execute successfully. If the transmuter is paused, this will revert.

Impact

The lack of transmuter state checks can cause significant disruptions:

Failed Withdrawals: Users cannot withdraw funds during transmuter downtime, leading to frustration and delays.
Inoperable Strategy: Core functions like fund deployment and withdrawals will fail, leaving the strategy temporarily non-functional.
Missed Yield Opportunities: When the transmuter is paused, funds intended for yield generation will remain inactive, preventing users from earning returns.

Although user funds remain secure, these issues delay access to assets, disrupt operations, and may erode user confidence in the protocol.

Tools Used

Manual code review

Recommendations

**Add Transmuter State Validation: **Implement a function to check the transmuter's operational state, such as paused.

Example:

function _isTransmuterActive() internal view returns (bool) {

return !transmuter.paused();

}

**Guard Transmuter Interactions: **Validate the transmuter state before calling any critical functions.

Example for _deployFunds:

function _deployFunds(uint256 _amount) internal override {
require(_isTransmuterActive(), "Transmuter is paused");
transmuter.deposit(_amount, address(this));
}
**Introduce Emergency Pausing Logic: **Add functionality to pause the strategy when the transmuter is non-operational to prevent reverts. This will ensure better operational continuity.

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.