Alchemix Transmuter

Summary

The _deployFunds and _freeFunds functions in the StrategyOp contract do not validate the operational state of the transmuter contract. If the transmuter is paused or malfunctioning, these functions will revert, disrupting fund deployments and withdrawals. Although user funds remain secure, this can lead to delayed access and missed yield opportunities, undermining the strategy's reliability.

Vulnerability Details

The StrategyOp contract relies on the transmuter for key functionalities, such as deploying funds and freeing funds for withdrawal. However, there are no checks for the transmuter's state (e.g., paused or in maintenance) before invoking critical calls like transmuter.deposit and transmuter.withdraw.

If the transmuter is paused:

• Deposits via _deployFunds will fail, leaving funds idle and unutilized.

• Withdrawals via _freeFunds will revert, preventing users from accessing their assets

Code References

1. **In _deployFunds: **No check is made for the transmuter’s state before calling transmuter.deposit.

   function _deployFunds(uint256 _amount) internal override {

   transmuter.deposit(_amount, address(this));

   }

   ​

2. **In _freeFunds: **No validation is performed before calling transmuter.withdraw.

   function _freeFunds(uint256 _amount) internal override {

   uint256 totalAvailabe = transmuter.getUnexchangedBalance(address(this));

   if (_amount > totalAvailabe) {

   transmuter.withdraw(totalAvailabe, address(this));

   } else {

   transmuter.withdraw(_amount, address(this));

   }

   }

   ​

   • The function assumes transmuter.withdraw will always execute successfully. If the transmuter is paused, this will revert.

Impact

The lack of transmuter state checks can cause significant disruptions:

• Failed Withdrawals: Users cannot withdraw funds during transmuter downtime, leading to frustration and delays.

• Inoperable Strategy: Core functions like fund deployment and withdrawals will fail, leaving the strategy temporarily non-functional.

• Missed Yield Opportunities: When the transmuter is paused, funds intended for yield generation will remain inactive, preventing users from earning returns.

Although user funds remain secure, these issues delay access to assets, disrupt operations, and may erode user confidence in the protocol.

Tools Used

Manual code review

Recommendations

• **Add Transmuter State Validation: **Implement a function to check the transmuter's operational state, such as paused.

Example:

• **Guard Transmuter Interactions: **Validate the transmuter state before calling any critical functions.

  Example for _deployFunds:

  function _deployFunds(uint256 _amount) internal override {

  require(_isTransmuterActive(), "Transmuter is paused");

  transmuter.deposit(_amount, address(this));

  }

  ​

• **Introduce Emergency Pausing Logic: **Add functionality to pause the strategy when the transmuter is non-operational to prevent reverts. This will ensure better operational continuity.