Alchemix Transmuter

Summary

The _swapUnderlyingToAsset function in StrategyArb.sol only checks that minOut > _amount before executing swaps. This basic check is insufficient to ensure profitable trades as it only guarantees a 1:1 ratio, which could result in trades being executed at suboptimal rates.

Vulnerability Details

In the _swapUnderlyingToAsset function in StrategyArb.sol:

The only price check is require(minOut > _amount, "minOut too low"). This check only ensures that the output amount is greater than the input amount, which is insufficient for two reasons:

1. It doesn't account for the expected market premium for alETH vs WETH

2. It doesn't protect against sandwich attacks where an attacker could manipulate the price just enough to pass this check

Example Scenario 1: MEV Sandwich Attack:

// Initial State
Pool: 1000 WETH : 1000 alETH
Market Price: 1 WETH = 1.05 alETH
Strategy wants to swap: 100 WETH
Keeper sets minOut = 101 alETH (passes check as > 100)

1. Attacker front-runs:

• Buys large amount of alETH with WETH

• Pushes price to 1 WETH = 1.15 alETH

2. Strategy transaction executes:

• Swaps 100 WETH

• Gets 101 alETH (passes minOut check)

• But actual market rate was 1.15 (should get 115 alETH)

• Lost 14 alETH in value

3. Attacker back-runs:

• Sells alETH back to WETH

• Price returns to ~1.05

• Profits from the spread

Example Scenario 2: Delayed Execution

1. Keeper checks price: 1 WETH = 1.03 alETH

2. Sets minOut = 1.02

3. Transaction delayed by network

4. Price moves to 1 WETH = 1.08 alETH

5. Strategy loses opportunity

Impact

The vulnerability leads to:

1. Direct value loss through sandwich attacks

2. Opportunity cost from executing at suboptimal rates

3. MEV extraction that continuously drains value from the protocol

Tools Used

Manual Review

Recommendations

Fetch the expected price from an oracle or external feed and enforce that the swap rate provides a reasonable premium.