Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing Route Validation in `addRoute` Function Could Impact claimAndSwap Execution

siisivan

Summary

The StrategyMainnet:: addRoute function does not validate the provided _route paths for correctness. This could lead to invalid or malicious routes being stored and later used in critical operations such as StrategyMainnet:: claimAndSwap. If _route is incorrect, it can cause transaction failures or asset mismanagement during swaps, impacting the functionality of the protocol.

Vulnerability Details

/**

* @dev Add a new route to be passed into Curve Router for swap see : https://docs.curve.fi/router/CurveRouterNG/

* @param _route Route to be passed into Curve Router

* @param _swapParams Swap params to be passed into Curve Router

* @param _pools Pools to be passed into Curve Router

function addRoute(

address[11] calldata _route,

uint256[5][5] calldata _swapParams,

address[5] calldata _pools

) external onlyManagement {

routes[nRoutes] = _route;

swapParams[nRoutes] = _swapParams;

pools[nRoutes] = _pools;

nRoutes++;

}

The _route parameter in the StrategyMainnet:: addRoute function is an array of 11 addresses used to define the swap path. The first address should always represent the input token (in this contract, WETH), and the last valid non-zero address should represent the output token (in this contract, alETH). Intermediate addresses represent pools or zaps. Unused array slots must be filled with ZERO_ADDRESS.

However, the contract does not validate the following:

Whether the first address in _route is indeed the input token.
Whether the last valid non-zero address is the output token.

Without these validations, a misconfigured _route could be added, potentially causing subsequent operations like StrategyMainnet::claimAndSwap to fail or behave unpredictably. For example, if _route contains invalid or mismatched tokens, the router.exchange call in StrategyMainnet::claimAndSwap might revert, leading to functional disruptions.

Impact

Due to the lack of validation for the _route parameter, the management could inadvertently configure an incorrect route, causing subsequent functionalities (such as claimAndSwap) to fail. This could lead to the following consequences:

Operational Disruption: The StrategyMainnet:: claimAndSwap function might fail, affecting the normal operation of the system.
Financial Loss: An incorrect _route might result in unexpected token swaps or misdirected funds.
Security Risk: While only managers can call the StrategyMainnet:: addRoute function, misconfigured routes might introduce unintended risks, especially in complex trading scenarios.

Tools Used

Manual

Recommendations

Add validation logic for the _route parameter in the StrategyMainnet:: addRoute function to ensure the validity of the input token (first address) and the output token (last non-zero address).

/**

* @dev Add a new route to be passed into Curve Router for swap. See: https://docs.curve.fi/router/CurveRouterNG/

* @param _route Route to be passed into Curve Router

* @param _swapParams Swap params to be passed into Curve Router

* @param _pools Pools to be passed into Curve Router

function addRoute(

address[11] calldata _route,

uint256[5][5] calldata _swapParams,

address[5] calldata _pools

) external onlyManagement {

// Ensure the first address in the route matches the underlying token

+ require(_route[0] == underlying, "Invalid input token in route");

// Ensure the last non-zero address in the route matches the asset token

+ bool outputTokenFound = false;

+ for (uint256 i = _route.length - 1; i >= 0; i--) {

+ if (_route[i] != address(0)) {

+ require(_route[i] == asset, "Invalid output token in route");

+ outputTokenFound = true;

+ break;

+ }

+ require(outputTokenFound, "Output token not specified in route");

// Save the route, swap parameters, and pool information

routes[nRoutes] = _route;

swapParams[nRoutes] = _swapParams;

pools[nRoutes] = _pools;

nRoutes++;

}

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

siisivan Submitter

8 months ago

inallhonesty Lead Judge

8 months ago

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.