Alchemix Transmuter

Summary

**Contract **:: StrategyMainnet.sol

The claimAndSwap function lacks proper validation to ensure that the _minOut value is reasonable in comparison to the _amountClaim. Although the function checks whether _minOut > _amountClaim, this condition alone is insufficient to prevent abusive or erroneous transactions.

Specifically, _minOut can still be set to an unrealistically low value above _amountClaim, allowing keepers to manipulate the function. This could result in swaps being executed at unfavorable rates, causing losses to the protocol or stakeholders.

Vulnerability Details

Proof of Concept

1. A malicious keeper calls claimAndSwap with the following parameters:

   • _amountClaim = 1,000 (WETH)

   • _minOut = 1,001 (alETH)

2. The Curve Router executes a swap where the effective rate is highly unfavorable, resulting in only 1,002 alETH being received.

3. The protocol redeposits the resulting alETH into the transmuter, but the swap itself was executed at a loss.

Impact

Direct Financial Loss: A malicious or careless keeper could swap WETH to alETH at suboptimal rates, leading to substantial financial losses for the protocol.

• Keeper Exploitability: The absence of stricter validation allows a keeper to profit at the expense of the protocol by setting a low _minOut value.

Tools Used

Manual Review

Recommendations

_minOut must meet a reasonable threshold, such as a percentage above _amountClaim, derived from market rates or on-chain price oracles.

• Integrate a slippage tolerance mechanism to enforce favorable swap rates.

Code Snippet

The problematic validation is in the following line:

require(_minOut > _amountClaim, "minOut too low");

Proposed fix:

require(_minOut >= (_amountClaim * (100 + slippageTolerance)) / 100, "minOut too low");

References

• Curve Router Documentation

• Best Practices for Slippage Control