Alchemix Transmuter

Summary

The StrategyMainnet contract uses safeApprove to set unlimited token approvals for the transmuter and router contracts. This is done using the following lines in the constructor and _initStrategy function:

asset.safeApprove(address(transmuter), type(uint256).max);````underlying.safeApprove(address(router), type(uint256).max);

By approving the maximum possible token amount (type(uint256).max), the contract exposes itself to significant risks, including the possibility of external contracts (or entities controlling them) draining the strategy’s funds. This issue is critical in decentralized environments where trust assumptions should be minimized.

Exploitation Scenario:

1. If the transmuter contract is compromised, an attacker can call the transferFrom function to drain all approved asset tokens.

2. Similarly, if the router contract is exploited, it can drain all approved underlying tokens.

This vulnerability undermines the security of user funds and the contract's ability to operate effectively

Steps to Reproduce

1. Deploy the contract and observe the approvals for transmuter and router.

2. Notice that the asset and underlying tokens are approved for the maximum amount (type(uint256).max).

3. If the transmuter or router contracts are malicious, they can transfer all the approved tokens using transferFrom.

Impact

If either the transmuter or router contracts is compromised or behaves maliciously, an attacker could transfer an unlimited amount of the strategy’s asset or underlying tokens. This could result in a total loss of funds, directly impacting users' assets and the functioning of the strategy.

Tools Used

Manual Review

Recommendations

Dynamic Approvals:
Instead of granting unlimited approvals, dynamically set the approval amount only for the required amount during each operation.

if (asset.allowance(address(this), address(transmuter)) < amountNeeded) {````asset.safeApprove(address(transmuter), amountNeeded);````}