Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Critical Vulnerabilities in redeem Function: Division by Zero and Insufficient Balance Validation

nishant

1. Summary

The redeem function in the YieldTokenMock contract contains two critical vulnerabilities:

A division by zero error in the price() function.
Missing balance validation, allowing users to redeem more tokens than they own, potentially draining the contract's funds.

2. Vulnerability Details

Division by Zero in price() Function
- The price() function returns 0 when totalSupply() is 0.
- This causes a division by zero in the _burn() calculation within the redeem function, leading to a runtime error that halts the transaction.
Lack of Balance Validation in redeem
- The redeem function does not validate whether the user has sufficient shares to redeem the requested _amount.
- This allows users to redeem more than their proportional share of the underlying tokens, leading to a potential drain of the contract's funds.

3. Impact

Division by Zero Impact:
- The redeem function fails when price() returns 0, disrupting user operations.
Balance Validation Impact:
- Malicious users can exploit this lack of validation to withdraw more than their entitled share of the underlying asset, resulting in:
  - Financial loss for other users.
  - Complete depletion of the contract's funds.

4. Tools Used

Manual code review to analyze the logic of the redeem function and the price() function.
Test cases in a local development environment to confirm the behavior of the vulnerabilities.

5. Recommendations

Fix Division by Zero in price() Function:
- Update the price() function to revert if totalSupply() is 0:
  function price() public view returns (uint256) {
  require(totalSupply() > 0, "No tokens available to redeem");
  return (totalValue() * 10**decimals()) / totalSupply();
  }
Add Balance Validation in redeem:
- Ensure users can only redeem if they have enough shares to cover the _amount:
  function redeem(uint256 _amount, address _recipient) external {
  uint256 sharesToBurn = (_amount * 10**decimals()) / price();
  require(balanceOf(msg.sender) >= sharesToBurn, "Insufficient balance to redeem");
  _burn(msg.sender, sharesToBurn);
  underlying.safeTransfer(_recipient, _amount);
  }

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.