Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Simplistic `minOut` Check in Swap Function Allowing Potential Exploitation

cipherhawk

Issue:

The _swapUnderlyingToAsset function performs a simplistic validation of the minOut parameter, requiring only that minOut > _amount. This check ensures that the output amount of alETH exceeds the input amount of WETH but does not verify whether the trade achieves a true premium based on real market conditions or oracle-based pricing.

Impact:

High.

  1. Price Manipulation:

    • Attackers can manipulate on-chain liquidity pools or swap paths to achieve favorable conditions and front-run the transaction, leading to swaps at suboptimal rates.

    • This can cause the strategy to lose value and harm depositor yields.

  2. Lack of Price Verification:

    • Without reference to a trusted price oracle, the strategy cannot ensure swaps are executed at fair market rates, leaving it exposed to slippage and unfavorable trades.

  3. Inaccurate Slippage Protection:

    • The simplistic minOut check does not account for real-time token price volatility or premium expectations, making it susceptible to rapid market changes or malicious actors.

Evidence from Code:

function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IVeloRouter.route[] calldata _path) internal {
require(minOut > _amount, "minOut too low");
uint256 underlyingBalance = underlying.balanceOf(address(this));
require(underlyingBalance >= _amount, "not enough underlying balance");
IVeloRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);
}

The condition require(minOut > _amount, "minOut too low"); ensures only that the output exceeds the input but lacks validation against actual market prices or a premium.

Potential Attack Scenario:

  1. Front-Running with Manipulated Liquidity:

    • An attacker observes the transaction in the mempool (assuming Optimism has a malicious sequencer or private transaction leaks).

    • The attacker preemptively manipulates the liquidity pool to skew the exchange rate and achieves a profit by adjusting the market temporarily before and after the strategy's swap.

  2. Slippage Exploitation:

    • An attacker designs a swap route that appears valid but incurs significant slippage due to poorly selected intermediary tokens or pools.

    • The strategy performs the trade, receiving less value than expected without triggering the simplistic minOut > _amount condition.

  3. Misaligned Premium Expectations:

    • A Keeper submits a transaction with a minOut that only marginally exceeds _amount, causing the strategy to swap without realizing a true premium, thereby reducing user yields.

Proposed Mitigations:

  1. Oracle-Based Price Validation: Introduce a price oracle to validate that minOut corresponds to an acceptable exchange rate. Compare the expected output with the oracle-reported price for the trade.

    require(
    minOut >= _amount * oracle.getPrice(address(underlying), address(asset)) / 1e18,
    "minOut below market price"
    );

  2. Premium Threshold Enforcement: Require that minOut includes a predefined premium (e.g., 1.5%) to account for slippage and ensure profitability.

    uint256 premiumThreshold = _amount * 1015 / 1000; // 1.5% premium
    require(minOut >= premiumThreshold, "minOut below premium threshold");

  3. Dynamic Slippage Tolerance: Adjust the minOut condition dynamically based on real-time volatility or liquidity metrics from the router or pools.

  4. Time-Limited Transactions: Include a deadline parameter to ensure the transaction executes promptly, minimizing exposure to front-running.

    require(block.timestamp <= deadline, "Transaction expired");

Updated Function Implementation:

function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IVeloRouter.route[] calldata _path, uint256 deadline) internal {
uint256 oraclePrice = oracle.getPrice(address(underlying), address(asset));
uint256 minExpectedOut = (_amount * oraclePrice) / 1e18;
require(minOut >= minExpectedOut, "minOut below market rate");
uint256 premiumThreshold = minExpectedOut * 1015 / 1000; // Ensure 1.5% premium
require(minOut >= premiumThreshold, "minOut below premium threshold");
uint256 underlyingBalance = underlying.balanceOf(address(this));
require(underlyingBalance >= _amount, "Not enough underlying balance");
IVeloRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), deadline);
}

Advantages of Mitigation:

  1. Fair Market Protection:

    • Prevents swaps from executing at rates significantly below market value.

    • Protects against slippage and manipulated trades.

  2. Premium Enforcement:

    • Ensures swaps generate positive returns, improving depositor confidence and yield reliability.

  3. Minimized Exploitation:

    • Reduces the feasibility of front-running and slippage attacks by requiring adherence to oracle-verified pricing and premium thresholds.

Updates

Lead Judging Commences

inallhonesty Lead Judge
8 months ago

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID]Lack of mechanism to ensure premium swaps

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.